LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-07-2014, 03:29 PM   #1
CTM
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 308

Rep: Reputation: 287Reputation: 287Reputation: 287
Bug in gnupg/gnupg2 packages; requesting upgrade to latest versions


A change was recently made to the GnuPG codebases whereby GnuPG now checks during a key import operation whether a key matches the search description before it is imported. This works fine when importing a single key (e.g. "gpg --recv-key 12345678"), but the code is incomplete and doesn't work properly when importing multiple keys (e.g. "gpg --refresh-keys" or "gpg --recv-key 12345678 90ABCDEF"). The bug causes gpg to print a rather mysterious error, e.g. for --refresh-keys:

Code:
gpg: key 91B35673: rejected by import filter
gpg: key 74858952: rejected by import filter
gpg: key E1B7D789: rejected by import filter
gpg: key 3637BBA2: rejected by import filter
gpg: key 57ED7F67: rejected by import filter
gpg: key 9FBC897B: rejected by import filter
gpg: key 02FF4B7C: rejected by import filter
gpg: key DE6F0195: rejected by import filter
gpg: key D30D87A4: rejected by import filter
The fact that this breaks --refresh-keys in particular is a pretty serious problem, since other software (e.g. Enigmail) relies on it to function correctly.

This bug is fixed as of GnuPG 1.4.18 and 2.0.26 (the patch is committed to git here), and I've compiled my own packages to verify that they fix the error given above by --refresh-keys (they do).

It's tenuous to suggest that this is a security risk in itself, but given that other security-sensitive software might rely on --refresh-keys working correctly, is there any chance we could get updated official packages, please?
 
Old 10-07-2014, 04:40 PM   #2
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Thank you for bringing this up. A bit more background:
  1. GnuPG 1.4.18 fixes a 1.4.17 regression when more than one keyid is given to --recv-keys
  2. GnuPG 1.4.19 will fix a 1.4.17 regression when a subkey id is given to --recv-keys
  3. GnuPG 2.0.25 fixes a 2.0.24 regression when more than one keyid is given to --recv-keys
  4. GnuPG 2.0.26 fixes a 2.0.24 regression when a subkey id is given to --recv-keys.
While you're fixing your own copies of GnuPG 1 & 2, you should upgrade to Libgcrypt 1.5.4 because Slackware's GnuPG-2 remains
vulnerable to CVE-2013-4576/CVE-2014-5270 due to an old Libgcrypt (see: here and here)

Also, when you build GnuPG 1.4.18 you can apply gnugp-1.4.18_subkeyregress.diff that fixes the subkey regression (#2 above)

--mancha

Last edited by mancha; 10-07-2014 at 05:05 PM.
 
Old 10-21-2014, 03:34 PM   #3
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
I hope I didn't jinx your thread with my reply (my own gnupg2/libgcrypt security report from 10 months ago still hasn't gotten any Bob love).

You might consider greasing the wheels with a promise of a case of beer...

--mancha
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
APT bug in the Maverick Meerkat: Whatever you do, don't install/upgrade any packages! Kenny_Strawn Ubuntu 3 08-29-2010 01:12 PM
gnupg vs gnupg2 - Package dependencies don't make sense. MindOfMercury Debian 6 12-04-2007 04:45 PM
How do I upgrade to latest versions of applications? SuperK Linux - Software 1 05-06-2006 06:39 PM
How to upgrade latest packages under RedHat? fhleung Linux - General 1 09-01-2004 06:27 AM
Possible gamepad code bug? Requesting testers. Dr Twox Linux - Hardware 1 07-09-2004 08:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration