[Pkg-gnupg-maint] gpg blindly imports keys from keyserver responses
Thijs Kinkhorst
thijs at debian.org
Mon Sep 1 18:33:20 UTC 2014
All,
Stefan Tomanek reported to Debian that GnuPG accepts any key as a response
from a keyserver, regardless of whether that key was actually requested:
https://bugs.debian.org/725411
There's some discussion about the issue; we believe that the primary way to
verify key ownership is still the web of trust and manual fingerprint
verification. It is however argued that as a user, requesting keys based on
specifying the full fingerprint is a safe way to retreive a key for a known-
good fingerprint. But this argument is again somewhat countered by an attack
on V3 keys which allows generating such fingerprints, making such a request
dubious again.
All in all, the safe choice seems to be to patch this issue, so Debian will
release updates for it. It has been fixed upstream in GnuPG 1.4.17 with this
commit:
http://git.gnupg.org/cgi-
bin/gitweb.cgi?p=gnupg.git;a=commit;h=5230304349490f31aa64ee2b69a8a2bc06bf7816
I'll leave it to the numbering authorities whether this is something that
should get a CVE id.
Cheers,
Thijs Kinkhorst
Debian Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20140901/5c8a279d/attachment.sig>
More information about the Pkg-gnupg-maint
mailing list