Page MenuHome GnuPG

gpg should reject compressed packets outside of messages
Open, LowPublic

Description

According to the OpenPGP standard, compressed and literal data packets are only allowed in messages. They are forbidden in signatures, secret keys, and certificates. GnuPG should reject compressed and literal data packets that appear outside of signatures.

Event Timeline

DemiMarie created this object in space S1 Public.
DemiMarie created this object with edit policy "Custom Policy".

This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data.

This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data.

Are you aware of any such data existing in the wild? I have never come across a compressed signature outside of a test case for PGPainless, which has since dropped support for processing compressed detached signatres.

I would be okay with GnuPG ignoring such packets, but I do not want verifying a signature or importing a key to activate the decompression code and its associated attack surface.

werner edited projects, added gnupg, Feature Request; removed g10.

This is referenced from https://nvd.nist.gov/vuln/detail/CVE-2022-3219 for CVE-2022-3219. Can this please be fixed?