According to the OpenPGP standard, compressed and literal data packets are only allowed in messages. They are forbidden in signatures, secret keys, and certificates. GnuPG should reject compressed and literal data packets that appear outside of signatures.
Description
Details
Revisions and Commits
Related Objects
Event Timeline
This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data.
Are you aware of any such data existing in the wild? I have never come across a compressed signature outside of a test case for PGPainless, which has since dropped support for processing compressed detached signatres.
I would be okay with GnuPG ignoring such packets, but I do not want verifying a signature or importing a key to activate the decompression code and its associated attack surface.
This is referenced from https://nvd.nist.gov/vuln/detail/CVE-2022-3219 for CVE-2022-3219. Can this please be fixed?
No, we can't do much about this. It has always been easy to create compression bombs and the more relevant thing here is compressed signed or encrypted data. Or just compressed mails. The patch by @DemiMarie is way to complicated for what it wants to achieve and actually breaks existing use cases. For example Poppler uses GnuPG comment packets to lower its own attack surface by leaving all OpenPGP handling to gpg. The patch (or at least the version we noticed in Fedora and Debian) entirely breaks this use.
It might be useful to have samples of compressed keys:
We once had the options --compress-key and --compress-sigs but even longer ago we disabled their fucntions and finally removed them with rG71b55e91f02cdb65a8884892f71c4c7bf8a75247. However, creating such keys is easy by using an obvious one line patch in export.c.
Could you point to any poppler bug report or sample breakage? I'd like to understand more. Thanks!