FS#58120 - [gnupg] CVE-2018-9234: Unenforced configuration allows for apparently valid certifications actually

Attached to Project: Arch Linux
Opened by Karol Babioch (kbabioch) - Thursday, 05 April 2018, 08:25 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 05 April 2018, 20:36 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Gaetan Bisson (vesath)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



GnuPG through version 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.

This task depends upon

Closed by  Gaetan Bisson (vesath)
Thursday, 05 April 2018, 20:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  gnupg-2.2.5-2 in [testing]
Comment by Gaetan Bisson (vesath) - Thursday, 05 April 2018, 20:12 GMT
Thanks for the heads up. We'll wait for an upstream fix and package new releases as soon as they're available.
Comment by Levente Polyak (anthraxx) - Thursday, 05 April 2018, 20:18 GMT
please do not close bug reports of vulnerable package that are still vulnerable, no matter if the security issues lays upstream or downstream. We keep security related bug tickets until the issue is resolved, either via backport or via upstream release.
Comment by Gaetan Bisson (vesath) - Thursday, 05 April 2018, 20:36 GMT
So I actually decided to patch the current release. Enjoy!

Levente: Instead of closing, next time, I'll just reassign the ticket to you. I like my list of open tickets to reflect what I have left to do.