| Summary: | gnupg2 new security issue CVE-2018-9234 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, herman.viaene, marja11, ngompa13, nicolas.salguero, smelror, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA6-64-OK | ||
| Source RPM: | gnupg2-2.1.21-2.mga6.src.rpm | CVE: | |
| Status comment: | Patch available from upstream | ||
|
Description
David Walser
2018-04-22 16:36:56 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers Assignee:
bugsquad =>
pkg-bugs The RedHat bug has a link to the upstream patch to fix it: https://bugzilla.redhat.com/show_bug.cgi?id=1563930 Status comment:
(none) =>
Patch available from upstream Sorry, for Mga6, I thought I was incrementing the sub release number and, in fact, it was the release one. So the new package is not gnupg2-2.1.21-2.1.mga6 but gnupg2-2.1.21-3.mga6. Suggested advisory: ======================== The updated package fixes a security vulnerability: GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. (CVE-2018-9234) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234 ======================== Updated package in 5/core/updates_testing: ======================== gnupg2-2.0.27-1.1.mga5 from SRPMS: gnupg2-2.0.27-1.1.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== gnupg2-2.1.21-3.mga6 from SRPMS: gnupg2-2.1.21-3.mga6.src.rpm Status:
NEW =>
ASSIGNED MGA5-32 on Dell Latitude D600 Xfce No installation issues. Ref to bug 11306 Comment 3 for tests: gpg2 --gen-key accept all defaults and user tester5 $ gpg2 --list-keys /home/tester5/.gnupg/pubring.gpg -------------------------------- and listing the keys $ echo "test test test" > testgpg2.txt $ ls testgpg2.txt $ gpg2 -e -r tester5 testgpg2.txt $ ls testgpg2.txt testgpg2.txt.gpg $ rm testgpg2.txt rm: normaal bestand ‘testgpg2.txt’ verwijderen? j $ ls testgpg2.txt.gpg $ gpg2 testgpg2.txt.gpg entering passphrase $ ls testgpg2.txt testgpg2.txt.gpg $ more testgpg2.txt test test test $ gpg2 --delete-secret-keys tester5 answering j to questions $ gpg2 --delete-key tester5 answering j to questions $ gpg2 --list-keys | grep tester5 gpg: de betrouwbaarheidsdatabank (trustdb) wordt gecontroleerd gpg: geen uiterst betrouwbare sleutels gevonden : no keys found Seems good enough to me. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-32-OK Testing M6/64
I already had gnupg2-2.1.21-2 installed; update to gnupg2-2.1.21-3.mga6 went OK.
Thanks to both Claire & Herman for setting this up. I made a complication in ending up with a USER-ID of "lewis smith <***@***.fr>" rather than a single word; avoid that!
Created a new key.
$ gpg2 --gen-key
Listed the key to verify it's there.
$ gpg2 --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-05-23
/home/lewis/.gnupg/pubring.gpg
------------------------------
pub rsa2048 2018-05-24 [SC] [expires: 2020-05-23]
C94A3C3F5A774DFE6ADE50125C2508F4EC80B039
uid [ultimate] lewis smith <lewyssmith@free.fr>
sub rsa2048 2018-05-24 [E] [expires: 2020-05-23]
Create a test file to encrypt.
$ echo "test test test" > test.txt
$ ls -l test*
-rw-rw-r-- 1 lewis lewis 15 Mai 24 16:56 testgpg2.txt
Encrypt it:
$ gpg2 -e -r "lewis smith <***@***.fr>" testgpg2.txt
$ ls -l test*
-rw-rw-r-- 1 lewis lewis 15 Mai 24 16:56 testgpg2.txt
-rw-rw-r-- 1 lewis lewis 349 Mai 24 16:58 testgpg2.txt.gpg
Remove the original:
$ rm test.txt
$ ls -l test*
-rw-rw-r-- 1 lewis lewis 349 Mai 24 16:58 testgpg2.txt.gpg
Decrypt it back:
$ gpg2 testgpg2.txt.gpg
[enter passphrase]
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-2.mga6 < 2.1.21-3.mga6)
gpg: encrypted with 2048-bit RSA key, ID 978C99D6596C4F25, created 2018-05-24
"lewis smith <***@***.fr>"
$ ls -l test*
-rw-rw-r-- 1 lewis lewis 15 Mai 24 17:01 testgpg2.txt
-rw-rw-r-- 1 lewis lewis 349 Mai 24 16:58 testgpg2.txt.gpg
$ cat testgpg2.txt
test test test
Delete the key:
$ gpg2 --delete-secret-keys "lewis smith <***@***.fr>"
gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-2.mga6 < 2.1.21-3.mga6)
[2 console + 2 dialogue confirmations]
$ gpg2 --delete-key "lewis smith <***@***.fr>"
gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-2.mga6 < 2.1.21-3.mga6)
Delete this key from the keyring? (y/N) y
Check it had gone:
$ gpg2 --list-keys
$
[I could not get grep the O/P to work because of weird USER-ID].
Update looks good.Whiteboard:
MGA5TOO MGA5-32-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0254.html Resolution:
(none) =>
FIXED |