Bugzilla – Bug 1141093
VUL-0: CVE-2019-13050: gpg2: denial of service attacks via big keys
Last modified: 2021-02-22 20:15:27 UTC
recently there were attacks against the public keyserver network, where a large number of signatures could be added to keys. This in turn would massively slow down gpg when it processes these keys. https://lwn.net/Articles/792366/ GPG 2.2.17 was now released to fix this, we should backport the relevant changes.
Update to version 2.2.17, submitted to Factory: https://build.opensuse.org/request/show/714630
From Upstream [0], mitigations/repairs. 1) MITIGATIONS: High-risk users should stop using the keyserver network immediately. Users who are confident editing their GnuPG configuration files should follow the following process: *) Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. *) Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. keys.openpgp.org is a new experimental keyserver which is not part of the keyserver network and has some features which make it resistant to this sort of attack. It is not a drop-in replacement: it has some limitations (for instance, its search functionality is sharply constrained). However, once you make this change you will be able to run gpg --refresh-keys with confidence. 2) REPAIRS: If you know which certificate is likely poisoned, try deleting it: this normally goes pretty quickly. If your OpenPGP installation becomes usable again, congratulations. Acquire a new unpoisoned copy of the certificate and import that. If you don't know which certificate is poisoned, your best bet is to get a list of all your certificate IDs, delete your keyrings completely, and rebuild from scratch using known-good copies of the public certificates. [0] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Upstream has fixed by introducing a new import and keyserver option "self-sigs-only" and added a fallback to import with self-sigs-only on too large keyblocks, here: https://dev.gnupg.org/T4591 https://dev.gnupg.org/rG2e349bb6173789e0e9e42c32873d89c7bc36cea4 https://dev.gnupg.org/rGadb120e663fc5e78f714976c6e42ae233c1990b0 https://dev.gnupg.org/rG3a403ab04eeb45f12b34f9d9c421dac93eaf2160 https://dev.gnupg.org/rGa1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800 It should also be interesting to consider adding enough space to import revocations as in: https://dev.gnupg.org/T4612
Created attachment 810489 [details] Patch with all related commits
SUSE-SU-2019:2006-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1124847,1141093 CVE References: CVE-2019-13050 Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): gpg2-2.2.5-4.11.1 SUSE Linux Enterprise Module for Basesystem 15 (src): gpg2-2.2.5-4.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1917-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1124847,1141093 CVE References: CVE-2019-13050 Sources used: openSUSE Leap 15.1 (src): gpg2-2.2.5-lp151.6.3.1 openSUSE Leap 15.0 (src): gpg2-2.2.5-lp150.3.10.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2019-09-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64358
SUSE-SU-2019:2480-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1124847,1141093 CVE References: CVE-2019-13050 Sources used: SUSE Linux Enterprise Server 12-SP4 (src): gpg2-2.0.24-9.8.1 SUSE Linux Enterprise Desktop 12-SP4 (src): gpg2-2.0.24-9.8.1 SUSE CaaS Platform 3.0 (src): gpg2-2.0.24-9.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done