Advisory: https://gnupg.org/blog/20240125-smartcard-backup-key.html Quoting the advisory: """ The standard way to generate keys on a smartcard with GnuPG is to create the encryption subkey with gpg and to move this key to the smartcard. A password protected backup file named sk_<keyid>.gpg is also created so that in the case of a lost or broken smartcard, the key can be restored to a new smartcard to allow decryption of existing data. Unfortunately with some versions of GnuPG an additional unprotected copy of the encryption subkey is also kept on disk. All possibly affected users should check whether such an unintended copy of a smartcard key exists and delete it. """
commit 3169869c36db352a79b60deebe0dc67c68b408ae Author: Robin H. Johnson <robbat2@gentoo.org> Date: Sun Jan 28 15:26:51 2024 -0800 app-crypt/gnupg: bump Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> but we need to backport this for 2.2.x too.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=794b312233b33ce315807bb305e0db42d530dfe7 commit 794b312233b33ce315807bb305e0db42d530dfe7 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-01-29 09:48:36 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-29 09:48:47 +0000 app-crypt/gnupg: backport insecure smartcard backup fix to 2.2.x Bug: https://bugs.gentoo.org/923248 Signed-off-by: Sam James <sam@gentoo.org> .../gnupg-2.2.42-bug923248-insecure-backup.patch | 292 +++++++++++++++++++++ app-crypt/gnupg/gnupg-2.2.42-r2.ebuild | 182 +++++++++++++ 2 files changed, 474 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2 commit edaa82dbe986586c12f7d0e15ccfaa2e8c17c4d2 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-10 08:41:19 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-10 08:41:29 +0000 [ GLSA 202408-23 ] GnuPG: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/855395 Bug: https://bugs.gentoo.org/923248 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-23.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)