---

SUSE Linux Advisory: gpg


SUSE Security Announcement

Package: gpg
Announcement-ID: SuSE-SA:2003:048
Date: Wednesday, December 3rd 2003 15:15 MET
Affected products: 7.3, 8.0, 8.1, 8.2, 9.0
SuSE Linux Enterprise Server 7, 8
SuSE Linux Database Server,
SuSE eMail Server III, 3.1
SuSE Linux Firewall on CD/Admin host
SuSE Linux Connectivity Server
SuSE Linux Office Server
SuSE Linux Desktop 1.0
SuSE Linux School Server
SuSE Linux Standard Server 8
Vulnerability Type: cryptographic compromise, remote cmd execution
Severity (1-10): 5
SUSE default package: yes
Cross References: CAN-2003-0971
http://www.gnupg.org/

http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html

Content of this advisory:

  1. security vulnerability resolved: gpg problem description,
    discussion, solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • kernel
  3. standard appendix (further information)

  1. problem description, brief discussion, solution, upgrade
    information

The gnupg (the SUSE package is named gpg) package is the most
widely used software for cryptographic encryption/decryption of
data.

Two independent errors have been found in gpg (GnuPG) packages
as shipped with SUSE products:

  1. A format string error in the client code that does key
    retrieval from a (public)entoo key server
  2. A cryptographic error in gpg that results in a compromise of a
    cryptographic keypair if ElGamal signing keys have been used for
    generating the key.

A)

There exists a format string error in thhe client code for key
retrieval from a keyserver. gpg-1.2.x version packages are affected
by this vulnerability.
The format string error can be used by an attacker performing a
man-in-the-middle-attack between you and your keyserver, or by a
compromised keyserver. The result is a crash of gpg or a potential
execution of arbitrary code provided by the attacker, if the
keyserver is used for key retrieval at the time of the attack.

B)

Werner Koch, the author of the gpg package, has publicly
announced a weakness in gpg that has been reported to him by Phong
Nguyen: ElGamal signing keys can be attacked within seconds to
reveal the private key of the keypair. It is strongly advised that
ElGamal signing keys should be revoked immediately. Only ElGamal
keys are affected, other types are not vulnerable.

To find out if you are using an ElGamal signing key, list your
public keys using the command

gpg –list-keys your_keyid

Example:
$ gpg –list-keys build@suse.de
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> sub 2048g/8495160C
2000-10-19 [expires: 2006-02-12] $

If your key lists a capital “G” after the key’s length (like in
pub 1536G/…), then your key is vulnerable. A small letter “g”
after the key length does NOT indicate any problem. ElGamal keys
can be used for primary keys as well as for subkeys. In the case
where only a subkey is an ElGamal key, it is sufficient to revoke
this specific subkey.

To revoke a key, generate a revocation certificate using the
following command:

gpg –gen-revoke your_keyid > revocation_certificate.pgp

Then, the revokation certificate must be imported into your
keyring:

gpg –import < revocation_certificate.pgp

As your last action, send the key with its revocation
certificate to the keyservers that know your key:

gpg –keyserver wwwkeys.eu.pgp.net –send-keys
your_keyid

ElGamal keys can only be generated by gpg if a special option
(–expert) has been used to reveal “expert” options, and if a
warning has been ignored after your choice to use ElGamal keys.
Such keys are rare (Werner Koch reports 848 primary ElGamal signing
keys and 324 vulnerable subkeys on the keyservers.). Therefore, we
expect that only experienced users of gpg may be vulnerable to the
ElGamal signing key error.

UPDATES:

The nature of the ElGamal error implies that a possible
compromise was made possible with the generation of the key in the
past already. There is no way that an update package can prevent
the compromise. However, the update packages that we provide
prevent the use of ElGamal signing keys for key generation once the
packages are installed.

SUSE Linux 8.1 and before contain a gpg package of version 1.0.x
(vulnerable to the ElGamal signing key bug only), a version of
1.2.x has been shipped with SUSE Linux 8.2 and 9.0 (vulnerable to
both errors). We provide update packages that fix both
vulnerabilities, meaning that only the packages affected by both
vulnerabilities are being updated. For this reason, there are only
update packages for SuSE Linux 8.2 and SUSE LINUX 9.0 available for
download.

Important Note:
A proper installation of the gpg update package is critical for
future updates on your system. The gpg program is being used by
YaST Online Update (YOU) to verify the authenticity of your update
package. A failure of a signature verification will result in a
failure of the installation of update packages.

Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.

Intel i386 Platform:

SuSE-9.0:

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i586.rpm

3f3513f61408128b5a95bd251540200f
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i586.patch.rpm

227002b89a49cf3581fb1fb4c185e725
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/gpg-1.2.2-121.src.rpm

d3bb8845401d5e707a5da830ab209993

SuSE-8.2:

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i586.rpm

ff54dbcb36cf741f108bdd48d5496e5d
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i586.patch.rpm

0efef8f33670349639fa5c25b3c5f3a3
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/gpg-1.2.2rc1-98.src.rpm

13ee0ff9bb2137365ab91f32324a4114

Opteron x86_64 Platform:

SuSE-9.0:

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117.x86_64.rpm

a1679f36e00347a1adf53e2209245274
patch rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117.x86_64.patch.rpm

f3002d4cea60bb0acea1e8bea89d46c9
source rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/gpg-1.2.2-117.src.rpm

50e58f6853dcd5523172cb4c07a63d89


2) Pending vulnerabilities in SUSE Distributions and
Workarounds:

  • kernel: brk() vulnerability All SUSE Linux kernels (except for
    the SUSE Linux Enterprise Server 8) are vulnerable to a privilege
    escalation vulnerability that can be exploited by an attacker who
    has local shell acccess to your system. We are in the process of
    testing the update packages for all of our products. The
    pentooackages are expected to be released within hours and are
    being published as they are ready. Please follow the guidelines in
    the announcement about the kernel that follows this
    announcement.

3) standard appendix: authenticity verification, additional
information

  • Package authenticity verification:

SUSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:

  1. md5sums as provided in the (cryptographically signed)
    announcement.
  2. using the internal gpg signatures of the rpm package.
  3. execute the command md5sum <name-of-the-file.rpm> after
    you downloaded the file from a SUSE ftp server or its mirrors.
    Then, compare the resulting md5sum with the one that is listed in
    the announcement. Since the announcement containing the checksums
    is cryptographically signed (usually using the key security@suse.de), the checksums show
    proof of the authenticity of the package. We disrecommend to
    subscribe to security lists which cause the email message
    containing the announcement to be modified so that the signature
    does not match after transport through the mailing list software.
    Downsides: You must be able to verify the authenticity of the
    announcement in the first place. If RPM packages are being rebuilt
    and a new version of a package is published on the ftp server, all
    md5 sums for the files are useless.
  4. rpm package signatures provide an easy way to verify the
    authenticity of an rpm package. Use the command rpm -v –checksig
    <file.rpm> to verify the signature of the package, where
    <file.rpm> is the filename of the rpm package that you have
    downloaded. Of course, package authenticity verification can only
    target an un-installed rpm package file. Prerequisites:

    1. gpg is installed
    2. The package is signed using a certain key. The public part of
      this key must be installed by the gpg program in the directory
      ~/.gnupg/ under the user’s home directory who performs the
      signature verification (usually root). You can import the key that
      is used by SUSE in rpm packages for SUSE Linux by saving this
      announcement to a file (“announcement.txt”) and running the command
      (do “su -” to be root): gpg –batch; gpg < announcement.txt |
      gpg –import SUSE Linux distributions version 7.1 and thereafter
      install the key “build@suse.de
      upon installation or upgrade, provided that the package gpg is
      installed. The file containing the public key is placed at the
      top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
      .

      • SUSE runs two security mailing lists to which any interested
        party may subscribe:

suse-security@suse.com

  • general/linux/SUSE security discussion. All SUSE security
    announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

suse-security-announce@suse.com

For general information or the frequently asked questions (faq)
send mail to:

        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

SUSE’s security contact is <security@suse.com> or
<security@suse.de>. The
<security@suse.de>
public key is listed below.



The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis