Bug 65862 (CVE-2005-0366)

Summary: VUL-0: CVE-2005-0366: opengpg: non-practical attack against opengpg protocol
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: postadal, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0366: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: opengpg.diff

Description Thomas Biege 2005-02-15 23:00:19 UTC 
... for the sake of completeness. 
 
Date: Thu, 10 Feb 2005 20:00:17 -0500 
From: David Shaw <dshaw@jabberwocky.com> 
To: announce@gnupg.org 
Message-ID: <20050211010017.GC1476@jabberwocky.com> 
Cc: 
Subject: [Announce] Attack against OpenPGP encryption 
 
Last night, Serge Mister and Robert Zuccherato published a paper 
reporting on an attack against OpenPGP symmetric encryption. 
 
This attack, while very significant from a cryptographic point of 
view, is not generally effective in the real world.  To be specific, 
unless you have your OpenPGP program set up as part of an automated 
system to accept encrypted messages, decrypt them, and then provide a 
response to the submitter, then this does not affect you at all. 
 
There is a very good writeup on the attack that goes into more depth 
at http://www.pgp.com/library/ctocorner/openpgp.html 
 
There will undoubtedly be further discussion of this over the next 
several days, but I wanted to provide a few comments now, to try and 
answer some questions that may arise: 
 
1) This is not a bug in any particular OpenPGP implementation (GnuPG, 
   PGP, Hushmail, etc).  Rather, this is an attack against the OpenPGP 
   protocol itself. 
 
2) The attack requires an average of 32,768 probes to get two bytes of 
   plaintext.  This is why it is completely ineffective against 
   human beings, who will presumably wonder why a stranger wants them 
   to decrypt thousands and thousands of messages that won't decrypt, 
   and then tell them what errors were seen. 
 
3) It might be effective against an automated process that 
   incorporates OpenPGP decryption, if that process returns errors 
   back to the sender. 
 
4) The OpenPGP Working Group will be discussing this issue and coming 
   up with an effective and permanent fix.  In the meantime, I have 
   attached two patches to this mail.  These patches disable a 
   portion of the OpenPGP protocol that the attack is exploiting. 
   This change should not be user visible.  With the patch in place, 
   this attack will not work using a public-key encrypted message.  It 
   will still work using a passphrase-encrypted message.  These 
   patches will be part of the 1.2.8 and 1.4.1 releases of GnuPG. 
 
5) The full paper is available at http://eprint.iacr.org/2005/033 
   It's a great piece of work. 
 
David 
 
Index: include/cipher.h
Comment 1 Thomas Biege 2005-02-15 23:00:19 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2005-02-15 23:00:43 UTC 
Created attachment 28499 [details]
opengpg.diff
Comment 3 Klaus Singvogel 2005-02-17 21:37:05 UTC 
Here are more details (sorry, German only): 
http://www.heise.de/newsticker/meldung/56350 
 
but as said in the article, the problem is only valid for self-encrypting 
systems and the solution is deactivating the quick-scan. 
It's only a minor problem, IMHO.
Comment 4 Klaus Singvogel 2005-02-22 18:50:22 UTC 
submitted packages for all SuLi versions: 
8.1 (incl. UL1, SLEC, SLES8, ...), 8.2, 9.0, 9.1 (incl. SLES9), 9.2 
 
security-team please handle the rest. :-) 
 
BTW: SLEC had a more recent version than its superset version: 8.1 and SLES8 
Sure, I fixed the more recent version. :-)
Comment 5 Thomas Biege 2005-02-23 09:36:07 UTC 
Thank you. I'll handle the rest...
Comment 6 Klaus Singvogel 2005-02-23 09:46:53 UTC 
BTW: I noticed, that we have a gpg2 package in our distribution either. Please 
check, if this package isn't affected neihter.
Comment 7 Thomas Biege 2005-02-23 10:02:42 UTC 
 SM-Tracker-449
Comment 8 Thomas Biege 2005-02-23 10:04:07 UTC 
Hello Petr, 
can you check is gpg2 is affected too please.
Comment 9 Thomas Biege 2005-02-23 10:16:46 UTC 
Klaus, 
looks like some suse-dist mails are missing. JFYI.
Comment 10 Thomas Biege 2005-02-23 10:31:53 UTC 
/work/src/done/PATCHINFO/gpg.patch.box 
/work/src/done/PATCHINFO/gpg.patch.maintained
Comment 11 Petr Ostadal 2005-02-23 13:05:37 UTC 
Hi Thomas, gpg2 is affected too, I will prepare packages for 9.1 (sles9), 9.2
and STABLE ok?
Comment 12 Thomas Biege 2005-02-23 13:21:04 UTC 
Ok! 
 
Let me know when you are done and I will submit the patchinfo files.
Comment 13 Klaus Singvogel 2005-02-23 14:26:10 UTC 
I'm a bit puzzled, as a gpg2.spec is only existend for SLD, but nor for 9.1 
nor SLES9 (not talking about 9.2 nor STABLE :-). Please check it out again.
Comment 14 Petr Ostadal 2005-02-23 14:37:45 UTC 
Yes , you are right, our yapt tools for checkin packages some time lies, it have
to be SLD insted 9.1(sles9). (tcrhak have to catch a lot of similiar bugs in
this yapt tools ;))
Comment 15 Petr Ostadal 2005-02-23 15:06:51 UTC 
gpg2 packages fixed and submited for SLES9-SLD, 9.2 and STABLE.
Comment 16 Thomas Biege 2005-02-24 10:16:02 UTC 
Thanks! :) 
I'll do the patchinfo files then. 
 
 SM-Tracker-458 (for gpg2)
Comment 17 Thomas Biege 2005-02-24 10:16:44 UTC 
assign to sec-team
Comment 18 Thomas Biege 2005-02-25 10:55:11 UTC 
/work/src/done/PATCHINFO/gpg2.patch.*
Comment 19 Marcus Meissner 2005-03-14 15:33:26 UTC 
updated packages released for gpg2 too.
Comment 20 Ludwig Nussel 2005-03-17 09:42:40 UTC 
CAN-2005-0366
Comment 21 Thomas Biege 2009-10-13 21:06:23 UTC 
CVE-2005-0366: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)