[pkg-gnupg-maint] Bug#787045: gpg re-imports subkeys of known types repeatedly (ECC keys grow without bound)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu May 28 05:16:10 UTC 2015 

Package: gnupg2
Version: 2.0.14
Severity: important
Control: tags -1 + patch
Control: forwarded -1 https://bugs.gnupg.org/gnupg/issue1962
Control: clone -1 -2
Control: reassign -2 gnupg
Control: found -2 1.4.10
Control: fixed -1 2.1.4-1

If an OpenPGP certificate has a subkey of an unknown type, and a user
has that cert in their keyring, then subsequent imports of the same cert
will cause the keyring to grow without bound.

This can be tried with gniibe's key:

  gpg2 --keyserver keys.gnupg.net --recv 0x00B45EBD4CA7BABE

after the first import, you'll see:

pub   2048R/0x00B45EBD4CA7BABE 2010-10-15
      Key fingerprint = 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
uid                 [  full  ] NIIBE Yutaka <gniibe at fsij.org>
uid                 [  full  ] NIIBE Yutaka <gniibe at debian.org>
sub      0E/0x824E72CE975B9053 2014-01-16
sub   2048R/0x79A79093084239CF 2010-10-15
sub   2048R/0x9C33B6BA5BB065DC 2010-10-22


and then the following import will repeat the ECC subkey:

pub   2048R/0x00B45EBD4CA7BABE 2010-10-15
      Key fingerprint = 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
uid                 [  full  ] NIIBE Yutaka <gniibe at fsij.org>
uid                 [  full  ] NIIBE Yutaka <gniibe at debian.org>
sub      0E/0x824E72CE975B9053 2014-01-16
sub   2048R/0x79A79093084239CF 2010-10-15
sub   2048R/0x9C33B6BA5BB065DC 2010-10-22
sub      0E/0x824E72CE975B9053 2014-01-16


This continues without end, which makes the keyring grow without bound
if the user is in the (good) habit of regularly doing a gpg --refresh.

As ECC keys become more widely used in general, this will become more of
a problem.  older versions of GnuPG don't need to understand ECC keys,
but they need to not choke on them in this way.

gniibe has provided fixes for the 2.0 and 1.4 branches, which he pointed
to here:

https://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/2015-May/002510.html

Fix in GnuPG 1.4:

    http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=04667cabef2d6aaa214b288482bb902c891893a5

Fix in GnuPG 2.0:

    http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=43429c7869152f301157e4b24790b3801dce0f0a


    --dkg

More information about the pkg-gnupg-maint mailing list