gpg should reject compressed packets outside of messages
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	DemiMarie
	May 22 2022, 12:20 AM

Description

According to the OpenPGP standard, compressed and literal data packets are only allowed in messages. They are forbidden in signatures, secret keys, and certificates. GnuPG should reject compressed and literal data packets that appear outside of signatures.

Details

External Link: https://gitlab.com/openpgp-wg/rfc4880bis/-/commit/83d0433f3f06b8a04879bc9236a37876f0486488

Revisions and Commits

rG GnuPG
	Needs Review	D556 Disallow compressed signatures and certificates
	Abandoned	D555 g10: Disallow compressed signatures and certificates
		rG8e529f922194 gpg: Do not allow compressed key packets on import.
		rG23ccad05c680 gpg: Do not allow compressed key packets on import.

Related Objects

Mentioned Here: rG71b55e91f02c: gpg: Remove --compress-keys and --compress-sigs feature.

Event Timeline

DemiMarie created this task.May 22 2022, 12:20 AM

DemiMarie created this object in space S1 Public.

DemiMarie created this object with edit policy "Custom Policy".

This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data.

In T5993#158500, @werner wrote:

This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data.

Are you aware of any such data existing in the wild? I have never come across a compressed signature outside of a test case for PGPainless, which has since dropped support for processing compressed detached signatres.

I would be okay with GnuPG ignoring such packets, but I do not want verifying a signature or importing a key to activate the decompression code and its associated attack surface.

• werner triaged this task as Low priority.May 23 2022, 8:14 AM

• werner edited projects, added gnupg, Feature Request; removed g10.

DemiMarie added a revision: D555: g10: Disallow compressed signatures and certificates.Jun 16 2022, 6:53 PM

DemiMarie added a revision: D556: Disallow compressed signatures and certificates.Jun 20 2022, 6:32 PM

thesamesam added a subscriber: thesamesam.Sep 1 2023, 5:32 AM

This is referenced from https://nvd.nist.gov/vuln/detail/CVE-2022-3219 for CVE-2022-3219. Can this please be fixed?

No, we can't do much about this. It has always been easy to create compression bombs and the more relevant thing here is compressed signed or encrypted data. Or just compressed mails. The patch by @DemiMarie is way to complicated for what it wants to achieve and actually breaks existing use cases. For example Poppler uses GnuPG comment packets to lower its own attack surface by leaving all OpenPGP handling to gpg. The patch (or at least the version we noticed in Fedora and Debian) entirely breaks this use.

It might be useful to have samples of compressed keys:

key-with-long-notation.pub1 KBDownload

key-with-long-notation-compr.pub271 BDownload

We once had the options --compress-key and --compress-sigs but even longer ago we disabled their fucntions and finally removed them with rG71b55e91f02cdb65a8884892f71c4c7bf8a75247. However, creating such keys is easy by using an obvious one line patch in export.c.

(The commits had a wrong bug it in their message)

• werner closed this task as Resolved.Fri, May 16, 2:46 PM

• werner claimed this task.

In T5993#201111, @werner wrote:

For example Poppler uses GnuPG comment packets to lower its own attack surface by leaving all OpenPGP handling to gpg. The patch (or at least the version we noticed in Fedora and Debian) entirely breaks this use.

Could you point to any poppler bug report or sample breakage? I'd like to understand more. Thanks!