File gnupg-CVE-2019-13050_1_of_5.patch of Package gpg2.25113

Overview Repositories Revisions Requests Users Attributes Meta

File gnupg-CVE-2019-13050_1_of_5.patch of Package gpg2.25113

commit 2e349bb6173789e0e9e42c32873d89c7bc36cea4
Author: Werner Koch <wk@gnupg.org>
Date:   Mon Jul 1 15:14:59 2019 +0200

gpg: New import and keyserver option "self-sigs-only"
    
    * g10/options.h (IMPORT_SELF_SIGS_ONLY): New.
    * g10/import.c (parse_import_options): Add option "self-sigs-only".
    (read_block): Handle that option.
    --
    
    This option is intended to help against importing keys with many bogus
    key-signatures.  It has obvious drawbacks and is not a bullet-proof
    solution because a self-signature can also be faked and would be
    detected only later.
    
    GnuPG-bug-id: 4591
    Signed-off-by: Werner Koch <wk@gnupg.org>

Index: gnupg-2.0.24/doc/gpg.texi
===================================================================
--- gnupg-2.0.24.orig/doc/gpg.texi
+++ gnupg-2.0.24/doc/gpg.texi
@@ -2068,6 +2068,14 @@ opposite meaning. The options are:
   on the keyring. This option is the same as running the @option{--edit-key}
   command "clean" after import. Defaults to no.
 
+  @item self-sigs-only
+  Accept only self-signatures while importing a key.  All other
+  key-signatures are skipped at an early import stage.  This option
+  can be used with @code{keyserver-options} to mitigate attempts to
+  flood a key with bogus signatures from a keyserver.  The drawback is
+  that all other valid key-signatures, as required by the Web of Trust
+  are also not imported.
+
   @item import-minimal
   Import the smallest key possible. This removes all signatures except
   the most recent self-signature on each user ID. This option is the
Index: gnupg-2.0.24/g10/import.c
===================================================================
--- gnupg-2.0.24.orig/g10/import.c
+++ gnupg-2.0.24/g10/import.c
@@ -96,6 +96,8 @@ parse_import_options(char *str,unsigned
     {
       {"import-local-sigs",IMPORT_LOCAL_SIGS,NULL,
        N_("import signatures that are marked as local-only")},
+      {"self-sigs-only", IMPORT_SELF_SIGS_ONLY,NULL,
+       N_("ignore key-signatures which are not self-signatures")},
       {"repair-pks-subkey-bug",IMPORT_REPAIR_PKS_SUBKEY_BUG,NULL,
        N_("repair damage from the pks keyserver during import")},
       {"fast-import",IMPORT_FAST,NULL,
@@ -395,6 +397,8 @@ read_block( IOBUF a, unsigned int option
     PACKET *pkt;
     KBNODE root = NULL;
     int in_cert;
+    u32 keyid[2];
+    unsigned int dropped_nonselfsigs = 0;
 
     if( *pending_pkt ) {
 	root = new_kbnode( *pending_pkt );
@@ -450,6 +454,31 @@ read_block( IOBUF a, unsigned int option
 	    init_packet(pkt);
             break;
 
+	  case PKT_SIGNATURE:
+	    if (!in_cert)
+	      goto x_default;
+	    if (!(options & IMPORT_SELF_SIGS_ONLY))
+	      goto x_default;
+	    if (pkt->pkt.signature->keyid[0] == keyid[0]
+		&& pkt->pkt.signature->keyid[1] == keyid[1])
+	      { /* This is likely a self-signature.  We import this one.
+		 * Eventually we should use the ISSUER_FPR to compare
+		 * self-signatures, but that will work only for v5 keys
+		 * which are currently not even deployed.
+		 * Note that we do not do any crypto verify here because
+		 * that would defeat this very mitigation of DoS by
+		 * importing a key with a huge amount of faked
+		 * key-signatures.  A verification will be done later in
+		 * the processing anyway.  Here we want a cheap an early
+		 * way to drop non-self-signatures.  */
+		goto x_default;
+	      }
+	    /* Skip this signature.  */
+	    dropped_nonselfsigs++;
+	    free_packet (pkt);
+	    init_packet(pkt);
+	    break;
+	    
 	  case PKT_PUBLIC_KEY:
 	  case PKT_SECRET_KEY:
 	    if( in_cert ) { /* store this packet */
@@ -458,7 +487,11 @@ read_block( IOBUF a, unsigned int option
 		goto ready;
 	    }
 	    in_cert = 1;
+	    keyid_from_pk (pkt->pkt.public_key, keyid);
+	    goto x_default;
+
 	  default:
+         x_default:
 	    if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
 		if( !root )
 		    root = new_kbnode( pkt );
@@ -480,6 +513,10 @@ read_block( IOBUF a, unsigned int option
 	*ret_root = root;
     free_packet( pkt );
     xfree( pkt );
+    if (!rc && dropped_nonselfsigs && opt.verbose)
+      log_info ("key %s: number of dropped non-self-signatures: %u\n",
+		keystr (keyid), dropped_nonselfsigs);
+
     return rc;
 }
 
Index: gnupg-2.0.24/g10/options.h
===================================================================
--- gnupg-2.0.24.orig/g10/options.h
+++ gnupg-2.0.24/g10/options.h
@@ -324,6 +324,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_sta
 #define IMPORT_MINIMAL                   (1<<5)
 #define IMPORT_CLEAN                     (1<<6)
 #define IMPORT_NO_SECKEY                 (1<<7)
+#define IMPORT_SELF_SIGS_ONLY            (1<<14)
 
 #define EXPORT_LOCAL_SIGS                (1<<0)
 #define EXPORT_ATTRIBUTES                (1<<1)

Places

File gnupg-CVE-2019-13050_1_of_5.patch of Package gpg2.25113

Places