Bug#1099141: marked as done (GnuPG: Defense against DoS breaks verification of signatures from expired or revoked keys)

Fri, 07 Mar 2025 15:17:56 -0800 

Your message dated Fri, 07 Mar 2025 20:48:37 +0000
with message-id <e1tqecx-003fch...@fasolo.debian.org>
and subject line Bug#1099141: fixed in gnupg2 2.4.7-8
has caused the Debian Bug report #1099141,
regarding GnuPG: Defense against DoS breaks verification of signatures from 
expired or revoked keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1099141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099141
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: ostree
Version: 2025.1-1
Severity: important

Hello,

ostree throws a testsuite error against gpg 2.4.7-5:

FAIL: tests/test-gpg-verify-result 5 /gpg-verify-result/expired-key - 
OSTree:ERROR:tests/test-gpg-verify-result.c:288:test_expired_key: 'key_expired' 
should be TRUE

This did not happen against 2.4.7-4. 2.4.7-5 adds number of patches and
the triggering commit is 

 62d8d2f024d5e5c3289d5bf7892013dc18eac4b0 void DoS on signature verification
 
https://salsa.debian.org/debian/gnupg2/-/commit/62d8d2f024d5e5c3289d5bf7892013dc18eac4b0

which adds three patches from upstream  STABLE-BRANCH-2-4:
 + 25d748c3dfc0102f9e54afea59ff26b3969bd8c1 gpg: Lookup key for
   merging/inserting only by primary key.
 + da0164efc7f32013bc24d97b9afa9f8d67c318bb gpg: Fix a verification DoS
   due to a malicious subkey in the keyring.
 + 9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f gpg: Remove a signature
   check function wrapper.

Ostree's autopkgtest throws more errors, which I do not see on a local
rebuild in sid chroot.

cu Andreas

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Source: gnupg2
Source-Version: 2.4.7-8
Done: Daniel Kahn Gillmor <d...@fifthhorseman.net>

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1099...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg2 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Mar 2025 13:54:17 -0500
Source: gnupg2
Architecture: source
Version: 2.4.7-8
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Closes: 1099141
Changes:
 gnupg2 (2.4.7-8) experimental; urgency=medium
 .
   * Avoid regression on sig verification for expired or revoked keys
     (Closes: #1099141)
Checksums-Sha1:
 44a4140c300086e4649a1cbee4ddbefd10c28f64 3381 gnupg2_2.4.7-8.dsc
 db5645443e15a3a0293b4cd25a653e5444acce24 102448 gnupg2_2.4.7-8.debian.tar.xz
 cfadaaa914885221add786dce2e3e9e7f87f8967 21488 gnupg2_2.4.7-8_amd64.buildinfo
Checksums-Sha256:
 7bd9ddbd84d0a5042381c536d42ce3350ec9112fd8a9996aac0b02164a207651 3381 
gnupg2_2.4.7-8.dsc
 6a11f2a61ad4b13879eae31cfa3e9cf25ea3570da682602e28ff7670bbaffe28 102448 
gnupg2_2.4.7-8.debian.tar.xz
 0c2e24d6074c77cbb3872959b93b06017653744eaf5e5f3e25e0e8e9b2f2998a 21488 
gnupg2_2.4.7-8_amd64.buildinfo
Files:
 f27c5aeff9699426aa84493eddfaa12a 3381 utils optional gnupg2_2.4.7-8.dsc
 08d57bdf2e5185d98963b5daf07886a7 102448 utils optional 
gnupg2_2.4.7-8.debian.tar.xz
 7495406321d461141b5bace5dcc11d83 21488 utils optional 
gnupg2_2.4.7-8_amd64.buildinfo


-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRjrBGOWy5dZsiKhad4C4VO2cK0lgUCZ8tPuAAKCRB4C4VO2cK0
ltynAQCQV0ByD6ztHI88IhQ0tIoVAYQnEN19PvKa2HI1wqLDrgD+IjCQ4+SLIkUE
zreGFZEUdje/kn2To0+qvb9Iy66vlwg=
=Wy/Y
-----END PGP SIGNATURE-----

Attachment: pgp_cvR3MZwI2.pgp
Description: PGP signature


--- End Message ---

Reply via email to