Ubuntu
gnupg2 package

Please apply mitigations for CVE-2019-13050

Bug #1844059 reported by Tom Reynolds
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnupg2 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

According to https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html mitigating CVE-2019-13050 was deferred, however mitigation is needed.

Reading the comments listed there, I am unable to determine the reasoning / cause for deferral, could you please try to help me understand? Thank in advance.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gnupg 2.2.4-1ubuntu1.2
ProcVersionSignature: Ubuntu 5.0.0-27.28~18.04.1-generic 5.0.21
Uname: Linux 5.0.0-27-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Sun Sep 15 17:14:48 2019
SourcePackage: gnupg2
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
Tom Reynolds (tomreyn) wrote :
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnupg2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Alex Murray (alexmurray) wrote :

As per the CVE details in the Ubuntu CVE tracker for this CVE (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html) you can see Marc mentions this was deferred because the specific updates to address this are not complete so we are waiting on better upstream fixes before trying to fix this in Ubuntu.

Revision history for this message
Tom Reynolds (tomreyn) wrote :

Thanks for clarifying this here and on the CVE tracker, Alex + Marc!

Revision history for this message
Tom Reynolds (tomreyn) wrote :

Until this may get mitigations in Ubuntu, this approach can be used to (temporarily) clean up a poisoned key ring:

https://tech.michaelaltfield.net/2019/07/14/mitigating-poisoned-pgp-certificates/

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnupg2 - 2.2.4-1ubuntu1.5

---------------
gnupg2 (2.2.4-1ubuntu1.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Certificate Spamming Attack through SKS
    (LP: #1844059)
    - debian/patches/CVE-2019-13050-1.patch: add option to only accept
      self-signatures when importing a key in g10/import.c,
      g10/options.h and doc/gpg.texi.
    - debian/patches/CVE-2019-13050-2.patch: add fallback when importing
      self-signatures only in g10/import.c.
    - debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and
      "import-clean" to the keyserver options in g10/gpg.c and
      doc/gpg.texi.
    - debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring
      KEYID is available on a pending package in g10/import.c.
    - debian/patches/CVE-2019-13050-5.patch: prevent fallback from being
      used if the options are already used in g10/import.c.
    - CVE-2019-13050

 -- David Fernandez Gonzalez <email address hidden> Thu, 26 May 2022 12:24:46 +0200

Changed in gnupg2 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.