oss-sec mailing list archives
gpg blindly imports keys from keyserver responses
From: Thijs Kinkhorst <thijs () debian org>
Date: Mon, 1 Sep 2014 20:33:20 +0200
All, Stefan Tomanek reported to Debian that GnuPG accepts any key as a response from a keyserver, regardless of whether that key was actually requested: https://bugs.debian.org/725411 There's some discussion about the issue; we believe that the primary way to verify key ownership is still the web of trust and manual fingerprint verification. It is however argued that as a user, requesting keys based on specifying the full fingerprint is a safe way to retreive a key for a known- good fingerprint. But this argument is again somewhat countered by an attack on V3 keys which allows generating such fingerprints, making such a request dubious again. All in all, the safe choice seems to be to patch this issue, so Debian will release updates for it. It has been fixed upstream in GnuPG 1.4.17 with this commit: http://git.gnupg.org/cgi- bin/gitweb.cgi?p=gnupg.git;a=commit;h=5230304349490f31aa64ee2b69a8a2bc06bf7816 I'll leave it to the numbering authorities whether this is something that should get a CVE id. Cheers, Thijs Kinkhorst Debian Security Team
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- gpg blindly imports keys from keyserver responses Thijs Kinkhorst (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
- Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
- Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
- Re: gpg blindly imports keys from keyserver responses mancha (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Werner Koch (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Kristian Fiskerstrand (Sep 01)
- Re: gpg blindly imports keys from keyserver responses Daniel Kahn Gillmor (Sep 01)