Bug 1219191

Summary: VUL-0: gpg2: Smartcard generation keeps an unprotected backup key on disk
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <Andreas.Stieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: pmonrealgonzalez, security-team, thomas.leroy
Version: Leap 15.5   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2024-01-25 17:09:33 UTC 
It was discovered that GnuPG before 2.4.4 kept an additional unprotected copy of the encryption subkey on disk.

2.4.2, 2.4.3, 2.2.42 affected if the card generation was done with the command gpg --card-edit. If the smartcard was created without a backup of the encryption key the problem does not show up either. Having a password protected backup key is expected behavior.

References:
https://gnupg.org/blog/20240125-smartcard-backup-key.html
Comment 1 Pedro Monreal Gonzalez 2024-01-25 21:10:36 UTC 
I don't see a CVE assigned to this.

Factory submission: sr#1141569
Comment 2 Thomas Leroy 2024-01-26 10:21:05 UTC 
Thanks for the report Andreas.

SUSE:ALP:Source:Standard:1.0 is also affected.