Bug 24178 - gnupg2 new security issue CVE-2018-1000858
Summary: gnupg2 new security issue CVE-2018-1000858
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-14 15:43 CET by David Walser
Modified: 2019-03-14 22:41 CET (History)
10 users (show)

See Also:
Source RPM: gnupg2-2.1.21-3.1.mga6.src.rpm
CVE: CVE-2018-1000858
Status comment:


Attachments

Description David Walser 2019-01-14 15:43:40 CET
Ubuntu has issued an advisory on January 10:
https://usn.ubuntu.com/3853-1/

The issue was fixed upstream in 2.2.12:
https://github.com/gpg/gnupg/commit/4a4bb874f63741026bd26264c43bb32b1099f060
Comment 1 Marja Van Waes 2019-01-15 08:25:44 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers (even if one or two only committed to the cauldron package).

Assignee: bugsquad => pkg-bugs
CC: (none) => eatdirt, geiger.david68210, marja11, ngompa13, nicolas.salguero, smelror

Comment 2 Nicolas Salguero 2019-03-08 14:25:13 CET
Suggested advisory:
========================

The updated package fixes a security vulnerability:

GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. (CVE-2018-1000858)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000858
https://usn.ubuntu.com/3853-1/
https://lists.opensuse.org/opensuse-security-announce/2019-01/msg00009.html
========================

Updated package in core/updates_testing:
========================
gnupg2-2.1.21-3.2.mga6

from SRPMS:
gnupg2-2.1.21-3.2.mga6.src.rpm

CVE: (none) => CVE-2018-1000858
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2019-03-09 10:34:48 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug22940 Comment4 for tests
$ gpg2 --gen-key
gpg (GnuPG) 2.1.21-3.2.mga6; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: starting migration from earlier GnuPG versions
gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6)
gpg: porting secret keys from '/home/tester6/.gnupg/secring.gpg' to gpg-agent
and mentioning previously generated key
further proceeding to generate a new key for user tester6

$ gpg2 --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2021-03-08
and then further displaying two keys

$ echo "test test test" > testgpg2.txt
$ ls testgp*
testgpg2.txt 
$ gpg2 -e -r tester6 testgpg2.txt 
$ ls testgp*
testgpg2.txt  testgpg2.txt.gpg
$ rm testgpg2.txt
rm: normaal bestand 'testgpg2.txt' verwijderen? j
$ ls testgp*
testgpg2.txt.gpg
$ gpg2 testgpg2.txt.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6)
gpg: encrypted with 2048-bit RSA key, ....<details of the key>
$ ls testgp*
testgpg2.txt  testgpg2.txt.gpg
[tester6@mach6 Documenten (BARE:master)]$ more testgpg2.txt
test test test
[tester6@mach6 Documenten (BARE:master)]$ gpg2 --delete-secret-keys tester6
gpg (GnuPG) 2.1.21-3.2.mga6; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6)

sec   <details of the key>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
and answering yes on pop-up windows

$ gpg2 --delete-key tester6
gpg (GnuPG) 2.1.21-3.2.mga6; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: WARNING: server 'gpg-agent' is older than us (2.1.21-3.1.mga6 < 2.1.21-3.2.mga6)
pub  <details of the key>

Delete this key from the keyring? (y/N) y

$ gpg2 --list-keys | grep tester6
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/home/tester6/.gnupg/pubring.kbx

Notice that while this laptop is installed in Dutch - see rm command above - all the gpg dialogues are in English.
This and the items on the older version of gpg-agent are not a reason for me personally to block this update, but I wonder whether this is expected behavior.

CC: (none) => herman.viaene

Comment 4 PC LX 2019-03-10 00:44:54 CET
Installed and tested without issues.

Tests included:
- CLI list public/private keys;
- CLI generate public/private key pair;
- CLI sign key;
- CLI encrypt/decrypt file;
- CLI sign/verify file;
- CLI detached sign/verify file;
- kgpg usage;
- kleopatra usage;
- kmail sign/verify and encrypt/decrypt emails;

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.104-desktop-2.mga6 #1 SMP Wed Feb 27 17:08:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q gnupg2
gnupg2-2.1.21-3.2.mga6

CC: (none) => mageia

Comment 5 PC LX 2019-03-14 11:36:30 CET
Several days without activity and two OKs (comment 3 for 32 bits and comment 4 for 64 bits) so I'll mark it as OK and move it along. Feel free to undo the OKs if you think its needed.

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK

Dave Hodgins 2019-03-14 20:18:28 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2019-03-14 22:41:10 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0108.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.