Re: [CVE-2015-0839] hp-plugin binary driver verification

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On Fri 2015-05-29 09:00:35 -0400, Enrico Zini wrote:
> I was forced to run hp-plugin to download a binary driver for the new
> printer, and I noticed this bit:
>
>   Downloading plug-in from:
>   Receiving digital keys: /usr/bin/gpg --homedir /home/enrico/.hplip/.gnupg --no-permission-warning --keyserver 
> pgp.mit.edu --recv-keys 0xA59047B9
>   Creating directory plugin_tmp
>   Verifying archive integrity... All good.
>
> The use of a short key ID worries me, because it is now trivial to
> generate keys with arbitrary key IDs, and gpg --recv-keys will happily
> download all those it finds. Also, pgp.mit.edu is a keyserver where
> everyone can upload arbitrary keys.
>
> You can run "gpg --recv 70096AD1" to play with multiple keys having the
> same key ID.
>
> I assume hp-plugin is open to downloading and verifying plugins signed
> by any key that one can verify that have that short key ID, and that
> with that and some fiddling with DNS one can cause systems running
> hp-plugin to download and run malicious code.
>
> A quick fix would be to use the full fingerprint instead of the key id.

A better quick fix would be to ship the authoritative key in hplip
directly, and avoid all interaction with the keyservers.

          --dkg