Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646212 - <app-portage/emerge-delta-webrsync-3.7.5: emerge*-webrsync accepts a revoked key
Summary: <app-portage/emerge-delta-webrsync-3.7.5: emerge*-webrsync accepts a revoked key
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+ cleanup]
Keywords:
: 570734 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-01-31 15:23 UTC by Michał Górny
Modified: 2019-04-08 15:22 UTC (History)
2 users (show)

See Also:
Package list:
=app-portage/emerge-delta-webrsync-3.7.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-01-31 15:23:42 UTC
Disclaimer: I haven't tested it practically but eyeball-verified that the code is vulnerable.


The signature verification in emerge-webrsync (which has been copied into emerge-delta-webrsync as well) pretty much boils down to running 'gpg --verify ...' and checking the return code. However, gpg will return a successful return code if the signature is valid but has been made by *revoked* key.

It's basically the same problem as bug #570734 but it has been ignored there because the submitter noticed only that it applies to expired keys. However, the lack of explicit gpg status code verification means the verification will only fail if there is no signature, no matching key or the signature is bad. Untrusted, expired and revoked keys are merely reported as warnings.

This means that if a malicious third party obtains the Gentoo snapshot signing key and Infra revokes it, and even if user makes sure to regularly refresh the keys and gpg actually fetches the revocation, emerge-webrsync will still proceed with the update and exit successfully. The revocation warning can be easily missed in the following output or when the job is run automated.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-02-01 08:34:32 UTC
At a first glance, it should fix the immediate problem. However, I hate it because it's yet another part of duplicated code in this ugly thing.
Comment 3 Zac Medico gentoo-dev 2018-07-22 21:45:52 UTC
Strict signature check is enabled since sys-apps/portage-2.3.22:

https://gitweb.gentoo.org/proj/portage.git/commit/?id=ffd68477e5c1e1badf60c86ae221c90dad50390d
Comment 4 Zac Medico gentoo-dev 2018-07-22 21:52:00 UTC
*** Bug 570734 has been marked as a duplicate of this bug. ***
Comment 5 Zac Medico gentoo-dev 2018-07-23 00:29:55 UTC
Also fixed in app-portage/emerge-delta-webrsync-3.7.4:

https://gitweb.gentoo.org/proj/portage.git/commit/?id=52d5d444ffb144911ca9b6e70b383405a8bd8af6
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2019-03-12 06:15:28 UTC
Please clean-up, version 2.3.8 : 0
Comment 7 Larry the Git Cow gentoo-dev 2019-03-12 07:39:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf2a7ad91461e9d48b8abc66726ab80d22d7209c

commit cf2a7ad91461e9d48b8abc66726ab80d22d7209c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2019-03-12 07:37:29 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2019-03-12 07:39:36 +0000

    sys-apps/portage: remove version 2.3.8
    
    Bug: https://bugs.gentoo.org/646212
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 sys-apps/portage/Manifest             |   1 -
 sys-apps/portage/portage-2.3.8.ebuild | 244 ----------------------------------
 2 files changed, 245 deletions(-)
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-03-28 23:47:41 UTC
@arches, please stabilize.
Comment 9 Zac Medico gentoo-dev 2019-03-29 00:05:43 UTC
Stable candidate should now be emerge-delta-webrsync-3.7.5.
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-29 06:49:41 UTC
amd64 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2019-04-01 17:22:27 UTC
x86 stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 12:32:33 UTC
alpha stable
Comment 13 Sergei Trofimovich gentoo-dev 2019-04-07 21:42:45 UTC
ia64 stable
Comment 14 Sergei Trofimovich gentoo-dev 2019-04-08 06:08:42 UTC
ppc stable
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-08 13:45:11 UTC
@portage, please drop vulnerable.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-04-08 15:22:08 UTC
This issue was resolved and addressed in
 GLSA 201904-11 at https://security.gentoo.org/glsa/201904-11
by GLSA coordinator Aaron Bauman (b-man).