Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 923248

Summary: <app-crypt/gnupg-{2.2.42-r2, 2.4.4}: Unprotected key backup created with smartcard key generation
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gnupg.org/blog/20240125-smartcard-backup-key.html
See Also: https://dev.gnupg.org/T6944
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 923800    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-29 09:43:35 UTC 
Advisory: https://gnupg.org/blog/20240125-smartcard-backup-key.html

Quoting the advisory:
"""
The standard way to generate keys on a smartcard with GnuPG is to create the encryption subkey with gpg and to move this key to the smartcard. A password protected backup file named sk_<keyid>.gpg is also created so that in the case of a lost or broken smartcard, the key can be restored to a new smartcard to allow decryption of existing data. Unfortunately with some versions of GnuPG an additional unprotected copy of the encryption subkey is also kept on disk.

All possibly affected users should check whether such an unintended copy of a smartcard key exists and delete it.
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-29 09:45:13 UTC 
commit 3169869c36db352a79b60deebe0dc67c68b408ae
Author: Robin H. Johnson <robbat2@gentoo.org>
Date:   Sun Jan 28 15:26:51 2024 -0800

    app-crypt/gnupg: bump

    Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

but we need to backport this for 2.2.x too.
Comment 2 Larry the Git Cow gentoo-dev 2024-01-29 09:49:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=794b312233b33ce315807bb305e0db42d530dfe7

commit 794b312233b33ce315807bb305e0db42d530dfe7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-01-29 09:48:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-29 09:48:47 +0000

    app-crypt/gnupg: backport insecure smartcard backup fix to 2.2.x
    
    Bug: https://bugs.gentoo.org/923248
    Signed-off-by: Sam James <sam@gentoo.org>

 .../gnupg-2.2.42-bug923248-insecure-backup.patch   | 292 +++++++++++++++++++++
 app-crypt/gnupg/gnupg-2.2.42-r2.ebuild             | 182 +++++++++++++
 2 files changed, 474 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-08-10 08:41:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2

commit edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-08-10 08:41:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-10 08:41:29 +0000

    [ GLSA 202408-23 ] GnuPG: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/855395
    Bug: https://bugs.gentoo.org/923248
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202408-23.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)