Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689392 (CVE-2019-13050) - <app-crypt/gnupg-2.2.17: Certificate Spamming Attack
Summary: <app-crypt/gnupg-2.2.17: Certificate Spamming Attack
Status: RESOLVED FIXED
Alias: CVE-2019-13050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 689908
  Show dependency tree
 
Reported: 2019-07-07 06:24 UTC by D'juan McDonald (domhnall)
Modified: 2019-08-14 13:34 UTC (History)
2 users (show)

See Also:
Package list:
app-crypt/gnupg-2.2.17
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-07 06:24:53 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-13050):

Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.

Further Reference: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f


Gentoo Security Padawan
(domhnall)
Comment 1 bugtrack 2019-07-10 08:35:58 UTC
GnuPG 2.2.17 has been released in order to address this issue:

https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html
Comment 2 Larry the Git Cow gentoo-dev 2019-07-10 08:43:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b9966122c613eafb7e8917b37da3d5c1fbb022a

commit 6b9966122c613eafb7e8917b37da3d5c1fbb022a
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2019-07-10 08:36:17 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2019-07-10 08:37:28 +0000

    app-crypt/gnupg: New upstream version 2.2.17
    
    Bug: https://bugs.gentoo.org/689392
    Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org>
    Package-Manager: Portage-2.3.66, Repoman-2.3.11

 app-crypt/gnupg/Manifest            |   1 +
 app-crypt/gnupg/gnupg-2.2.17.ebuild | 153 ++++++++++++++++++++++++++++++++++++
 2 files changed, 154 insertions(+)
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-07-17 10:05:15 UTC
Arches, please test and mark stable; 
app-crypt/gnupg-2.2.17
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-07-17 10:13:05 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-07-17 14:03:55 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-07-17 15:25:47 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-07-18 09:58:11 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-07-18 10:08:15 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-07-18 13:11:35 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-07-18 14:13:56 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-07-18 14:25:18 UTC
alpha stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-07-21 08:27:34 UTC
hppa stable
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2019-07-21 21:18:10 UTC
arm64 stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 11:25:29 UTC
arm stable
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2019-08-11 21:57:57 UTC
@maintainer(s), please drop vulnerable.
Comment 16 Larry the Git Cow gentoo-dev 2019-08-14 13:33:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d79a7f81cec439f3dbbb10bcc6478f4ebb01061

commit 6d79a7f81cec439f3dbbb10bcc6478f4ebb01061
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2019-08-14 13:30:02 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2019-08-14 13:30:02 +0000

    app-crypt/gnupg: Remove old versions (security cleanup)
    
    Bug: https://bugs.gentoo.org/689392
    Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org>
    Package-Manager: Portage-2.3.66, Repoman-2.3.11

 app-crypt/gnupg/Manifest               |   6 --
 app-crypt/gnupg/gnupg-1.4.21.ebuild    | 114 ------------------------
 app-crypt/gnupg/gnupg-2.2.10.ebuild    | 134 -----------------------------
 app-crypt/gnupg/gnupg-2.2.12.ebuild    | 136 -----------------------------
 app-crypt/gnupg/gnupg-2.2.14.ebuild    | 136 -----------------------------
 app-crypt/gnupg/gnupg-2.2.15-r1.ebuild | 153 ---------------------------------
 app-crypt/gnupg/gnupg-2.2.15.ebuild    | 137 -----------------------------
 app-crypt/gnupg/gnupg-2.2.16-r1.ebuild | 153 ---------------------------------
 app-crypt/gnupg/gnupg-2.2.16.ebuild    | 153 ---------------------------------
 app-crypt/gnupg/metadata.xml           |   3 -
 10 files changed, 1125 deletions(-)
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2019-08-14 13:34:56 UTC
Cleanup done. Closing.