Bug 1219191 - VUL-0: gpg2: Smartcard generation keeps an unprotected backup key on disk
Summary: VUL-0: gpg2: Smartcard generation keeps an unprotected backup key on disk
Status: IN_PROGRESS
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.5
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-25 17:09 UTC by Andreas Stieger
Modified: 2024-01-26 11:23 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2024-01-25 17:09:33 UTC 
It was discovered that GnuPG before 2.4.4 kept an additional unprotected copy of the encryption subkey on disk.

2.4.2, 2.4.3, 2.2.42 affected if the card generation was done with the command gpg --card-edit. If the smartcard was created without a backup of the encryption key the problem does not show up either. Having a password protected backup key is expected behavior.

References:
https://gnupg.org/blog/20240125-smartcard-backup-key.html
Comment 1 Pedro Monreal Gonzalez 2024-01-25 21:10:36 UTC 
I don't see a CVE assigned to this.

Factory submission: sr#1141569
Comment 2 Thomas Leroy 2024-01-26 10:21:05 UTC 
Thanks for the report Andreas.

SUSE:ALP:Source:Standard:1.0 is also affected.