[Pkg-gnupg-maint] Bug#725411: gnupg: gpg blindly imports keys from keyserver responses

Stefan Tomanek stefan at pico.ruhr.de
Sat Oct 5 12:26:28 UTC 2013 

Package: gnupg
Version: 1.4.12-7+deb7u1
Severity: normal

Dear Maintainer,

the current release versions of gnupg (1.4 a swell as 2) blindly import
anything returned from a keyserver; even when requesting a key by its most
specific identifier (full fingerprint), the server is free to return anything -
a different key, or even a bunch of keys.  Up until today, it was even possible
to inject secret keys into a system by just running an mitm attack against the
keyserver or its client (a patch has been included to prevent this).

While the trust model of gpg prevents the worst, being able to pollute the keyring
of a victim with unwanted keys creates a situation that might confuse the user and
lead to mistakes compromising security (e.g. by selecting a wrong and possible
falsified key).

Gnupg should check any keys returned from a keyserver request for plausibility with
the initial request and reject anything not matching the criteria set.

The attached patch provides this functionality.


-- System Information:
Debian Release: 7.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg          1.16.10
ii  gpgv          1.4.12-7+deb7u1
ii  install-info  4.13a.dfsg.1-10
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.13-38
ii  libreadline6  6.2+dfsg-0.1
ii  libusb-0.1-4  2:0.1.12-20+nmu1
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages gnupg recommends:
pn  gnupg-curl     <none>
ii  libldap-2.4-2  2.4.31-1+nmu2

Versions of packages gnupg suggests:
ii  eog           3.4.2-1+build1
pn  gnupg-doc     <none>
ii  imagemagick   8:6.7.7.10-5+deb7u2
ii  libpcsclite1  1.8.4-1+deb7u1

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-filter-and-verify-keyserver-responses.patch
Type: text/x-diff
Size: 9977 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20131005/f6a376d2/attachment.patch>

More information about the Pkg-gnupg-maint mailing list