[pkg-gnupg-maint] Bug#894983: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

[Werner Koch]

On Thu,  5 Apr 2018 22:49, carnil at debian.org said:

> CVE-2018-9234[0]:
> | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
> | certification requires an offline master Certify key, which results in
> | apparently valid certifications that occurred only with access to a
> | signing subkey.

That is more a description of an unspecified behaviour of OpenPGP. It is
From the specs not clear whether a subkey shall be able to certify a a
userid or a subkey.

The problem which such a certification from a subkey is that you can't
evaluate it due to the catch-22: The key usage flags are part of the
signature itself and to check the signature you need to have the usage
flags.  For the primary key this is not a problem because it implicitly
has certification usage.

We are currently testing a patch but are also considering to disallow
certification from subkeys at all.

> Please adjust the affected versions in the BTS as needed. Can you
> clarify if this affects as well way back to STABLE-BRANCH-1-4?

We won't do any large change to 1.4 and may eventually remove smart card
support from 1.4 - it is anyway very limited when not used with 2.2
gpg-agent and even then it does not support everything we have in 2.2



Salam-Shalom,

   Werner



p.s.
I am bit wondering whether escalating this bug report
(https://dev.gnupg.org/T3844) via a CVE was a sensible strategy.

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20180406/ec1105aa/attachment.sig>