SUSE Security Announcement
Package: | gpg |
Announcement-ID: | SuSE-SA:2003:048 |
Date: | Wednesday, December 3rd 2003 15:15 MET |
Affected products: | 7.3, 8.0, 8.1, 8.2, 9.0 SuSE Linux Enterprise Server 7, 8 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server SuSE Linux Desktop 1.0 SuSE Linux School Server SuSE Linux Standard Server 8 |
Vulnerability Type: | cryptographic compromise, remote cmd execution |
Severity (1-10): | 5 |
SUSE default package: | yes |
Cross References: | CAN-2003-0971 http://www.gnupg.org/ http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html |
Content of this advisory:
- security vulnerability resolved: gpg problem description,
discussion, solution and upgrade information - pending vulnerabilities, solutions, workarounds:
- kernel
- standard appendix (further information)
- problem description, brief discussion, solution, upgrade
information
The gnupg (the SUSE package is named gpg) package is the most
widely used software for cryptographic encryption/decryption of
data.
Two independent errors have been found in gpg (GnuPG) packages
as shipped with SUSE products:
- A format string error in the client code that does key
retrieval from a (public)entoo key server - A cryptographic error in gpg that results in a compromise of a
cryptographic keypair if ElGamal signing keys have been used for
generating the key.
A)
There exists a format string error in thhe client code for key
retrieval from a keyserver. gpg-1.2.x version packages are affected
by this vulnerability.
The format string error can be used by an attacker performing a
man-in-the-middle-attack between you and your keyserver, or by a
compromised keyserver. The result is a crash of gpg or a potential
execution of arbitrary code provided by the attacker, if the
keyserver is used for key retrieval at the time of the attack.
B)
Werner Koch, the author of the gpg package, has publicly
announced a weakness in gpg that has been reported to him by Phong
Nguyen: ElGamal signing keys can be attacked within seconds to
reveal the private key of the keypair. It is strongly advised that
ElGamal signing keys should be revoked immediately. Only ElGamal
keys are affected, other types are not vulnerable.
To find out if you are using an ElGamal signing key, list your
public keys using the command
gpg –list-keys your_keyid
Example:
$ gpg –list-keys build@suse.de
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> sub 2048g/8495160C
2000-10-19 [expires: 2006-02-12] $
If your key lists a capital “G” after the key’s length (like in
pub 1536G/…), then your key is vulnerable. A small letter “g”
after the key length does NOT indicate any problem. ElGamal keys
can be used for primary keys as well as for subkeys. In the case
where only a subkey is an ElGamal key, it is sufficient to revoke
this specific subkey.
To revoke a key, generate a revocation certificate using the
following command:
gpg –gen-revoke your_keyid > revocation_certificate.pgp
Then, the revokation certificate must be imported into your
keyring:
gpg –import < revocation_certificate.pgp
As your last action, send the key with its revocation
certificate to the keyservers that know your key:
gpg –keyserver wwwkeys.eu.pgp.net –send-keys
your_keyid
ElGamal keys can only be generated by gpg if a special option
(–expert) has been used to reveal “expert” options, and if a
warning has been ignored after your choice to use ElGamal keys.
Such keys are rare (Werner Koch reports 848 primary ElGamal signing
keys and 324 vulnerable subkeys on the keyservers.). Therefore, we
expect that only experienced users of gpg may be vulnerable to the
ElGamal signing key error.
UPDATES:
The nature of the ElGamal error implies that a possible
compromise was made possible with the generation of the key in the
past already. There is no way that an update package can prevent
the compromise. However, the update packages that we provide
prevent the use of ElGamal signing keys for key generation once the
packages are installed.
SUSE Linux 8.1 and before contain a gpg package of version 1.0.x
(vulnerable to the ElGamal signing key bug only), a version of
1.2.x has been shipped with SUSE Linux 8.2 and 9.0 (vulnerable to
both errors). We provide update packages that fix both
vulnerabilities, meaning that only the packages affected by both
vulnerabilities are being updated. For this reason, there are only
update packages for SuSE Linux 8.2 and SUSE LINUX 9.0 available for
download.
Important Note:
A proper installation of the gpg update package is critical for
future updates on your system. The gpg program is being used by
YaST Online Update (YOU) to verify the authenticity of your update
package. A failure of a signature verification will result in a
failure of the installation of update packages.
Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.
Intel i386 Platform:
SuSE-9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i586.rpm
3f3513f61408128b5a95bd251540200f
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/gpg-1.2.2-121.i586.patch.rpm
227002b89a49cf3581fb1fb4c185e725
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/gpg-1.2.2-121.src.rpm
d3bb8845401d5e707a5da830ab209993
SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i586.rpm
ff54dbcb36cf741f108bdd48d5496e5d
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/gpg-1.2.2rc1-98.i586.patch.rpm
0efef8f33670349639fa5c25b3c5f3a3
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/gpg-1.2.2rc1-98.src.rpm
13ee0ff9bb2137365ab91f32324a4114
Opteron x86_64 Platform:
SuSE-9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117.x86_64.rpm
a1679f36e00347a1adf53e2209245274
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/gpg-1.2.2-117.x86_64.patch.rpm
f3002d4cea60bb0acea1e8bea89d46c9
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/gpg-1.2.2-117.src.rpm
50e58f6853dcd5523172cb4c07a63d89
2) Pending vulnerabilities in SUSE Distributions and
Workarounds:
- kernel: brk() vulnerability All SUSE Linux kernels (except for
the SUSE Linux Enterprise Server 8) are vulnerable to a privilege
escalation vulnerability that can be exploited by an attacker who
has local shell acccess to your system. We are in the process of
testing the update packages for all of our products. The
pentooackages are expected to be released within hours and are
being published as they are ready. Please follow the guidelines in
the announcement about the kernel that follows this
announcement.
3) standard appendix: authenticity verification, additional
information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:
- md5sums as provided in the (cryptographically signed)
announcement. - using the internal gpg signatures of the rpm package.
- execute the command md5sum <name-of-the-file.rpm> after
you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in
the announcement. Since the announcement containing the checksums
is cryptographically signed (usually using the key security@suse.de), the checksums show
proof of the authenticity of the package. We disrecommend to
subscribe to security lists which cause the email message
containing the announcement to be modified so that the signature
does not match after transport through the mailing list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless. - rpm package signatures provide an easy way to verify the
authenticity of an rpm package. Use the command rpm -v –checksig
<file.rpm> to verify the signature of the package, where
<file.rpm> is the filename of the rpm package that you have
downloaded. Of course, package authenticity verification can only
target an un-installed rpm package file. Prerequisites:- gpg is installed
- The package is signed using a certain key. The public part of
this key must be installed by the gpg program in the directory
~/.gnupg/ under the user’s home directory who performs the
signature verification (usually root). You can import the key that
is used by SUSE in rpm packages for SUSE Linux by saving this
announcement to a file (“announcement.txt”) and running the command
(do “su -” to be root): gpg –batch; gpg < announcement.txt |
gpg –import SUSE Linux distributions version 7.1 and thereafter
install the key “build@suse.de”
upon installation or upgrade, provided that the package gpg is
installed. The file containing the public key is placed at the
top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
.- SUSE runs two security mailing lists to which any interested
party may subscribe:
- SUSE runs two security mailing lists to which any interested
- general/linux/SUSE security discussion. All SUSE security
announcements are sent to this list. To subscribe, send an email to
suse-security-announce@suse.com
- SUSE’s announce-only mailing list. Only SUSE’s security
announcements are sent to this list. To subscribe, send an email to
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively.
SUSE’s security contact is <security@suse.com> or
<security@suse.de>. The
<security@suse.de>
public key is listed below.
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.
Type | Bits/KeyID | Date | User ID |
pub | 2048R/3D25D3D9 | 1999-03-06 | SuSE Security Team <security@suse.de> |
pub | 1024D/9C800ACA | 2000-10-19 | SuSE Package Signing Key <build@suse.de> |