Bug 1141093 - (CVE-2019-13050) VUL-0: CVE-2019-13050: gpg2: denial of service attacks via big keys
(CVE-2019-13050)
VUL-0: CVE-2019-13050: gpg2: denial of service attacks via big keys
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/236903/
CVSSv2:NVD:CVE-2019-13050:5.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-11 07:21 UTC by Marcus Meissner
Modified: 2021-02-22 20:15 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Patch with all related commits (17.41 KB, patch)
2019-07-15 16:39 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-07-11 07:21:06 UTC
recently there were attacks against the public keyserver network, where a large number of signatures could be added to keys.

This in turn would massively slow down gpg when it processes these keys.

https://lwn.net/Articles/792366/

GPG 2.2.17 was now released to fix this, we should backport the relevant changes.
Comment 2 Pedro Monreal Gonzalez 2019-07-12 08:56:07 UTC
Update to version 2.2.17, submitted to Factory:
https://build.opensuse.org/request/show/714630
Comment 3 Pedro Monreal Gonzalez 2019-07-15 14:52:03 UTC
From Upstream [0], mitigations/repairs.

1) MITIGATIONS:
High-risk users should stop using the keyserver network immediately.

Users who are confident editing their GnuPG configuration files should follow the following process:
  *) Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
  *) Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.

keys.openpgp.org is a new experimental keyserver which is not part of the keyserver network and has some features which make it resistant to this sort of attack. It is not a drop-in replacement: it has some limitations (for instance, its search functionality is sharply constrained). However, once you make this change you will be able to run gpg --refresh-keys with confidence.

2) REPAIRS:
If you know which certificate is likely poisoned, try deleting it: this normally goes pretty quickly. If your OpenPGP installation becomes usable again, congratulations. Acquire a new unpoisoned copy of the certificate and import that.

If you don't know which certificate is poisoned, your best bet is to get a list of all your certificate IDs, delete your keyrings completely, and rebuild from scratch using known-good copies of the public certificates.

[0] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Comment 4 Pedro Monreal Gonzalez 2019-07-15 15:02:15 UTC
Upstream has fixed by introducing a new import and keyserver option "self-sigs-only" and added a fallback to import with self-sigs-only on too large keyblocks, here:

   https://dev.gnupg.org/T4591

   https://dev.gnupg.org/rG2e349bb6173789e0e9e42c32873d89c7bc36cea4
   https://dev.gnupg.org/rGadb120e663fc5e78f714976c6e42ae233c1990b0
   https://dev.gnupg.org/rG3a403ab04eeb45f12b34f9d9c421dac93eaf2160
   https://dev.gnupg.org/rGa1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800

It should also be interesting to consider adding enough space to import revocations as in:

   https://dev.gnupg.org/T4612
Comment 5 Pedro Monreal Gonzalez 2019-07-15 16:39:18 UTC
Created attachment 810489 [details]
Patch with all related commits
Comment 10 Swamp Workflow Management 2019-07-29 16:11:19 UTC
SUSE-SU-2019:2006-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1124847,1141093
CVE References: CVE-2019-13050
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    gpg2-2.2.5-4.11.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    gpg2-2.2.5-4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-08-15 13:18:50 UTC
openSUSE-SU-2019:1917-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1124847,1141093
CVE References: CVE-2019-13050
Sources used:
openSUSE Leap 15.1 (src):    gpg2-2.2.5-lp151.6.3.1
openSUSE Leap 15.0 (src):    gpg2-2.2.5-lp150.3.10.1
Comment 18 Swamp Workflow Management 2019-09-12 08:32:20 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-09-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64358
Comment 19 Swamp Workflow Management 2019-09-27 16:14:01 UTC
SUSE-SU-2019:2480-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1124847,1141093
CVE References: CVE-2019-13050
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    gpg2-2.0.24-9.8.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    gpg2-2.0.24-9.8.1
SUSE CaaS Platform 3.0 (src):    gpg2-2.0.24-9.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Marcus Meissner 2019-10-20 08:20:28 UTC
done