Bug#1099142: marked as done (GnuPG: Defense against DoS breaks verification of signatures from expired or revoked keys)

Fri, 07 Mar 2025 14:24:15 -0800 

Your message dated Fri, 07 Mar 2025 22:21:07 +0000
with message-id <e1tqg43-003ujf...@fasolo.debian.org>
and subject line Bug#1099141: fixed in gnupg2 2.2.46-4
has caused the Debian Bug report #1099141,
regarding GnuPG: Defense against DoS breaks verification of signatures from 
expired or revoked keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1099141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099141
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: ostree
Version: 2025.1-1
Severity: important

Hello,

ostree throws a testsuite error against gpg 2.4.7-5:

FAIL: tests/test-gpg-verify-result 5 /gpg-verify-result/expired-key - 
OSTree:ERROR:tests/test-gpg-verify-result.c:288:test_expired_key: 'key_expired' 
should be TRUE

This did not happen against 2.4.7-4. 2.4.7-5 adds number of patches and
the triggering commit is 

 62d8d2f024d5e5c3289d5bf7892013dc18eac4b0 void DoS on signature verification
 
https://salsa.debian.org/debian/gnupg2/-/commit/62d8d2f024d5e5c3289d5bf7892013dc18eac4b0

which adds three patches from upstream  STABLE-BRANCH-2-4:
 + 25d748c3dfc0102f9e54afea59ff26b3969bd8c1 gpg: Lookup key for
   merging/inserting only by primary key.
 + da0164efc7f32013bc24d97b9afa9f8d67c318bb gpg: Fix a verification DoS
   due to a malicious subkey in the keyring.
 + 9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f gpg: Remove a signature
   check function wrapper.

Ostree's autopkgtest throws more errors, which I do not see on a local
rebuild in sid chroot.

cu Andreas

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Source: gnupg2
Source-Version: 2.2.46-4
Done: Daniel Kahn Gillmor <d...@fifthhorseman.net>

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1099...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg2 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Mar 2025 16:00:13 -0500
Source: gnupg2
Architecture: source
Version: 2.2.46-4
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Closes: 1099141
Changes:
 gnupg2 (2.2.46-4) unstable; urgency=medium
 .
   * Avoid regression when verifying signatures from revoked or expired
     keys (Closes: #1099141)
Checksums-Sha1:
 ed5df373329d8d695d020d5b5f72cadac178aa92 3269 gnupg2_2.2.46-4.dsc
 3b0d65875c4e8c59925556bba93a2467347b5bfb 159372 gnupg2_2.2.46-4.debian.tar.xz
 ada532676f069222aa648e528068fe09c4599939 19071 gnupg2_2.2.46-4_amd64.buildinfo
Checksums-Sha256:
 bf792ec391dfd90887eb386f39f4a106e32ed661687c3df2841c775cf7059a83 3269 
gnupg2_2.2.46-4.dsc
 e28524fa0051562c7140316b5576305c522cc1a6bad70cdd71d3f87162da7e37 159372 
gnupg2_2.2.46-4.debian.tar.xz
 d25909013521bdae41126d328ee0c963906d555544c5ed3ffeb5c7b761dfd4e1 19071 
gnupg2_2.2.46-4_amd64.buildinfo
Files:
 648e7109520cdc205cfc54269c71e04a 3269 utils optional gnupg2_2.2.46-4.dsc
 f0708db217fceafb3ca9cefede56fe7e 159372 utils optional 
gnupg2_2.2.46-4.debian.tar.xz
 8c288829006ddd083b9b118e7027c039 19071 utils optional 
gnupg2_2.2.46-4_amd64.buildinfo


-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRjrBGOWy5dZsiKhad4C4VO2cK0lgUCZ8tpggAKCRB4C4VO2cK0
lhU5AP9NifmZFQYqQRwdXPdZmIKdA0Ba1Ijv5nEd2L3gzTUkWAEAjl9nDCWsPwVQ
PY/SXM2mm4pd52KNoIvDnP1gXLkpkQE=
=6yTB
-----END PGP SIGNATURE-----

Attachment: pgp5T9GizfO2q.pgp
Description: PGP signature


--- End Message ---

Reply via email to