touch-packages team mailing list archive

Thread
Date

[Bug 1409117] Re: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1409117@xxxxxxxxxxxxxxxxxx>
Date: Wed, 01 Apr 2015 13:11:57 -0000
Reply-to: Bug 1409117 <1409117@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package gnupg2 - 2.0.22-3ubuntu1.3

---------------
gnupg2 (2.0.22-3ubuntu1.3) trusty-security; urgency=medium

  * Screen responses from keyservers (LP: #1409117)
    - d/p/0001-Screen-keyserver-responses.patch
    - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
    - d/p/0003-Add-kbnode_t-for-easier-backporting.patch
    - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
  * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
    - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
    - debian/rules: build with --enable-large-secmem
  * SECURITY UPDATE: invalid memory read via invalid keyring
    - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
      a keyring in g10/keyring.c.
    - CVE-2015-1606
  * SECURITY UPDATE: memcpy with overlapping ranges
    - debian/patches/CVE-2015-1607.patch: use inline functions to convert
      buffer data to scalars in common/iobuf.c, g10/build-packet.c,
      g10/getkey.c, g10/keyid.c, g10/main.h, g10/misc.c,
      g10/parse-packet.c, g10/tdbio.c, g10/trustdb.c, include/host2net.h,
      kbx/keybox-dump.c, kbx/keybox-openpgp.c, kbx/keybox-search.c,
      kbx/keybox-update.c, scd/apdu.c, scd/app-openpgp.c,
      scd/ccid-driver.c, scd/pcsc-wrapper.c, tools/ccidmon.c.
    - CVE-2015-1607
 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>   Fri, 27 Mar 2015 08:18:55 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1409117

Title:
  GPG does not verify keys received when using --recv-keys leaving
  communicaiton with key servers vulnerable to MITM

Status in GNU Privacy Guard:
  Fix Released
Status in gnupg package in Ubuntu:
  Fix Released
Status in gnupg2 package in Ubuntu:
  Fix Released
Status in gnupg source package in Lucid:
  Confirmed
Status in gnupg2 source package in Lucid:
  Confirmed
Status in gnupg source package in Precise:
  Fix Released
Status in gnupg2 source package in Precise:
  Fix Released
Status in gnupg source package in Trusty:
  Fix Released
Status in gnupg2 source package in Trusty:
  Fix Released
Status in gnupg source package in Utopic:
  Fix Released
Status in gnupg2 source package in Utopic:
  Fix Released
Status in gnupg source package in Vivid:
  Fix Released
Status in gnupg2 source package in Vivid:
  Fix Released
Status in gnupg package in Debian:
  Fix Released

Bug description:
  The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and
  should be backported to 12.04; right now, it is not.

  This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2
  --recv-keys. See https://evil32.com/ for an example (the text that is
  striked out; the gpg2 package on 12.04 is still vulnerable).

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions