Page MenuHome GnuPG
Create Task
Maniphest T5993

gpg should reject compressed packets outside of messages
Open, LowPublic
Actions

Description

According to the OpenPGP standard, compressed and literal data packets are only allowed in messages. They are forbidden in signatures, secret keys, and certificates. GnuPG should reject compressed and literal data packets that appear outside of signatures.

Details

External Link
https://gitlab.com/openpgp-wg/rfc4880bis/-/commit/83d0433f3f06b8a04879bc9236a37876f0486488

Revisions and Commits

rG GnuPG
Needs ReviewD556 Disallow compressed signatures and certificates
AbandonedD555 g10: Disallow compressed signatures and certificates

Event Timeline

DemiMarie created this task.May 22 2022, 12:20 AM
DemiMarie created this object in space S1 Public.
DemiMarie created this object with edit policy "Custom Policy".
werner added a subscriber: werner.May 22 2022, 11:34 AM

This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data.

DemiMarie added a comment.May 22 2022, 8:56 PM
In T5993#158500, @werner wrote:

This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data.

Are you aware of any such data existing in the wild? I have never come across a compressed signature outside of a test case for PGPainless, which has since dropped support for processing compressed detached signatres.

DemiMarie added a comment.May 22 2022, 8:57 PM

I would be okay with GnuPG ignoring such packets, but I do not want verifying a signature or importing a key to activate the decompression code and its associated attack surface.

werner triaged this task as Low priority.May 23 2022, 8:14 AM
werner edited projects, added gnupg, Feature Request; removed g10.
DemiMarie added a revision: D555: g10: Disallow compressed signatures and certificates.Jun 16 2022, 6:53 PM
DemiMarie added a revision: D556: Disallow compressed signatures and certificates.Jun 20 2022, 6:32 PM
thesamesam added a subscriber: thesamesam.Sep 1 2023, 5:32 AM
wiz added a subscriber: wiz.Feb 11 2024, 11:09 AM

This is referenced from https://nvd.nist.gov/vuln/detail/CVE-2022-3219 for CVE-2022-3219. Can this please be fixed?