gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

Debian Bug report logs - #894983
gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

Date: Thu, 05 Apr 2018 22:49:44 +0200

Source: gnupg2
Version: 2.2.5-1
Severity: important
Tags: security upstream
Forwarded: https://dev.gnupg.org/T3844

Hi,

The following vulnerability was published for gnupg2:

CVE-2018-9234[0]:
| GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
| certification requires an offline master Certify key, which results in
| apparently valid certifications that occurred only with access to a
| signing subkey.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-9234
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234
[1] https://dev.gnupg.org/T3844
[2] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=a17d2d1f690ebe5d005b4589a5fe378b6487c657

Please adjust the affected versions in the BTS as needed. Can you
clarify if this affects as well way back to STABLE-BRANCH-1-4?

Regards,
Salvatore

Message #10 received at 894983@bugs.debian.org (full text, mbox, reply):

From: NIIBE Yutaka <gniibe@fsij.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 894983@bugs.debian.org

Subject: Re: Bug#894983: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

Date: Fri, 06 Apr 2018 10:15:51 +0900

Hello,

Thank you for the bug report.

Salvatore Bonaccorso <carnil@debian.org> wrote:
> The following vulnerability was published for gnupg2:

Vulnerability? ... well, a kind of.

Given this is escalated to CVE, I considered and evaluated the problem
again.

I think that we need to fix the checking of signature by a key which
does not have a capability to certify other keys.

> CVE-2018-9234[0]:
> | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
> | certification requires an offline master Certify key, which results in
> | apparently valid certifications that occurred only with access to a
> | signing subkey.

This description sounds not accurate for me.  In my opinion, the
certifications are invalid.

The smartcard problem was introduced by the commits of mine:

	commit fbb2259d22e6c6eadc2af722bdc52922da348677
	Author: NIIBE Yutaka <gniibe@fsij.org>
	Date:   Mon May 22 09:27:36 2017 +0900

	    g10: Fix default-key selection for signing, possibly by card.

and

	commit 97a2394ecafaa6f58e4a1f70ecfd04408dc15606
	Author: NIIBE Yutaka <gniibe@fsij.org>
	Date:   Thu Apr 27 10:33:58 2017 +0900

	    g10: For signing, prefer available card key when no -u option.

2.1.21 or later versions have this problem.  It will be fixed in
forthcoming 2.2.6.

Invalid certifications can only be generated by GnuPG 2.1/2.2 with
smartcard, not by 2.0 or 1.4.

> Please adjust the affected versions in the BTS as needed. Can you
> clarify if this affects as well way back to STABLE-BRANCH-1-4?

The checking of invalid certifications would be worth to all branches of
GnuPG.  For the fix of checking, I'm not that confident my proposed fix
of gpg-CVE-2018-9234.diff at [0] is correct or not.  Review is required.

[0] https://dev.gnupg.org/T3844
-- 

Message #15 received at 894983@bugs.debian.org (full text, mbox, reply):

From: Werner Koch <wk@gnupg.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 894983@bugs.debian.org

Subject: Re: Bug#894983: gnupg2: CVE-2018-9234: Able to certify public keys without a certify key present when using smartcard

Date: Fri, 06 Apr 2018 16:08:16 +0200

[Message part 1 (text/plain, inline)]

On Thu,  5 Apr 2018 22:49, carnil@debian.org said:

> CVE-2018-9234[0]:
> | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
> | certification requires an offline master Certify key, which results in
> | apparently valid certifications that occurred only with access to a
> | signing subkey.

That is more a description of an unspecified behaviour of OpenPGP. It is
From the specs not clear whether a subkey shall be able to certify a a
userid or a subkey.

The problem which such a certification from a subkey is that you can't
evaluate it due to the catch-22: The key usage flags are part of the
signature itself and to check the signature you need to have the usage
flags.  For the primary key this is not a problem because it implicitly
has certification usage.

We are currently testing a patch but are also considering to disallow
certification from subkeys at all.

> Please adjust the affected versions in the BTS as needed. Can you
> clarify if this affects as well way back to STABLE-BRANCH-1-4?

We won't do any large change to 1.4 and may eventually remove smart card
support from 1.4 - it is anyway very limited when not used with 2.2
gpg-agent and even then it does not support everything we have in 2.2



Salam-Shalom,

   Werner



p.s.
I am bit wondering whether escalating this bug report
(https://dev.gnupg.org/T3844) via a CVE was a sensible strategy.

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

[Message part 2 (application/pgp-signature, inline)]

Message #24 received at 894983-submitter@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: control@bugs.debian.org

Cc: 894983-submitter@bugs.debian.org

Subject: closing 894983

Date: Fri, 08 Jun 2018 17:44:31 -0400

close 894983 2.2.7-1
thanks

Send a report that this bug log contains spam.