oss-sec mailing list archives
Re: Re: Travis CI MITM RCE
From: Jakub Wilk <jwilk () jwilk net>
Date: Wed, 31 Oct 2018 15:29:15 +0100
* Daniel Kahn Gillmor <dkg () fifthhorseman net>, 2018-10-29, 08:52:
My proposed fix was to use "gpg --recv-key" with full fingerprint. But I now discovered that even this is not resistant against MitM attacks:https://dev.gnupg.org/T3398"[...] modern gpg automatically applies an import screener that only accepts OpenPGP certificates that have the given fingerprint [...]It may be even worse than this, because the version of gpg used by default in travis is not "modern gpg", it's either gnupg2 2.0.22-3ubuntu1.4 or gnupg 1.4.16-1ubuntu2.6. I don't think either of these has the baseline "import screener" functionality
Ubuntu Precise and later releases have the import screener backported to gnupg(2) packages:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/1409117 -- Jakub Wilk
Current thread:
- Re: Travis CI MITM RCE Jakub Wilk (Oct 18)
- Re: Travis CI MITM RCE zugtprgfwprz (Oct 20)
- <Possible follow-ups>
- Re: Travis CI MITM RCE Jakub Wilk (Oct 27)
- Re: Re: Travis CI MITM RCE Daniel Kahn Gillmor (Oct 29)
- Re: Re: Travis CI MITM RCE Jakub Wilk (Oct 31)
- Re: Re: Travis CI MITM RCE Daniel Kahn Gillmor (Oct 29)