[pkg-gnupg-maint] Bug#894983: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard
NIIBE Yutaka
gniibe at fsij.org
Fri Apr 6 01:15:51 UTC 2018
Hello,
Thank you for the bug report.
Salvatore Bonaccorso <carnil at debian.org> wrote:
> The following vulnerability was published for gnupg2:
Vulnerability? ... well, a kind of.
Given this is escalated to CVE, I considered and evaluated the problem
again.
I think that we need to fix the checking of signature by a key which
does not have a capability to certify other keys.
> CVE-2018-9234[0]:
> | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
> | certification requires an offline master Certify key, which results in
> | apparently valid certifications that occurred only with access to a
> | signing subkey.
This description sounds not accurate for me. In my opinion, the
certifications are invalid.
The smartcard problem was introduced by the commits of mine:
commit fbb2259d22e6c6eadc2af722bdc52922da348677
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Mon May 22 09:27:36 2017 +0900
g10: Fix default-key selection for signing, possibly by card.
and
commit 97a2394ecafaa6f58e4a1f70ecfd04408dc15606
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Thu Apr 27 10:33:58 2017 +0900
g10: For signing, prefer available card key when no -u option.
2.1.21 or later versions have this problem. It will be fixed in
forthcoming 2.2.6.
Invalid certifications can only be generated by GnuPG 2.1/2.2 with
smartcard, not by 2.0 or 1.4.
> Please adjust the affected versions in the BTS as needed. Can you
> clarify if this affects as well way back to STABLE-BRANCH-1-4?
The checking of invalid certifications would be worth to all branches of
GnuPG. For the fix of checking, I'm not that confident my proposed fix
of gpg-CVE-2018-9234.diff at [0] is correct or not. Review is required.
[0] https://dev.gnupg.org/T3844
--
More information about the pkg-gnupg-maint
mailing list