923248 – <app-crypt/gnupg-{2.2.42-r2, 2.4.4}: Unprotected key backup created with smartcard key generation

Bug 923248 - <app-crypt/gnupg-{2.2.42-r2, 2.4.4}: Unprotected key backup created with smartcard key generation

Summary: <app-crypt/gnupg-{2.2.42-r2, 2.4.4}: Unprotected key backup created with smar...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://gnupg.org/blog/20240125-smart...
Whiteboard:	A4 [glsa+]
Keywords:

Depends on:	923800
Blocks:
	Show dependency tree

Reported:	2024-01-29 09:43 UTC by Sam James
Modified:	2024-08-10 08:42 UTC (History)
CC List:	2 users (show)

See Also:	https://dev.gnupg.org/T6944
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2024-01-29 09:43:35 UTC

Advisory: https://gnupg.org/blog/20240125-smartcard-backup-key.html

Quoting the advisory:
"""
The standard way to generate keys on a smartcard with GnuPG is to create the encryption subkey with gpg and to move this key to the smartcard. A password protected backup file named sk_<keyid>.gpg is also created so that in the case of a lost or broken smartcard, the key can be restored to a new smartcard to allow decryption of existing data. Unfortunately with some versions of GnuPG an additional unprotected copy of the encryption subkey is also kept on disk.

All possibly affected users should check whether such an unintended copy of a smartcard key exists and delete it.
"""

Comment 1 Sam James archtester

2024-01-29 09:45:13 UTC

commit 3169869c36db352a79b60deebe0dc67c68b408ae
Author: Robin H. Johnson <robbat2@gentoo.org>
Date:   Sun Jan 28 15:26:51 2024 -0800

    app-crypt/gnupg: bump

    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

but we need to backport this for 2.2.x too.

Comment 2 Larry the Git Cow gentoo-dev

2024-01-29 09:49:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=794b312233b33ce315807bb305e0db42d530dfe7

commit 794b312233b33ce315807bb305e0db42d530dfe7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-01-29 09:48:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-29 09:48:47 +0000

    app-crypt/gnupg: backport insecure smartcard backup fix to 2.2.x
    
    Bug: https://bugs.gentoo.org/923248
    Signed-off-by: Sam James <sam@gentoo.org>

 .../gnupg-2.2.42-bug923248-insecure-backup.patch   | 292 +++++++++++++++++++++
 app-crypt/gnupg/gnupg-2.2.42-r2.ebuild             | 182 +++++++++++++
 2 files changed, 474 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2024-08-10 08:41:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2

commit edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-08-10 08:41:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-10 08:41:29 +0000

    [ GLSA 202408-23 ] GnuPG: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/855395
    Bug: https://bugs.gentoo.org/923248
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202408-23.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)