Page MenuHome GnuPG

Leak of User-ID via clipboard
Closed, InvalidPublic

Description

Hello,

My friend was kind enough and keen to alert me that public keys that I had pasted for import into my keyring had all shown up in his log viewer. This was frightening.

This is what he sent me (100% accurate)

Have a great week!0:291E663A465C101B:K::?::::
0:291E663A465C101B:U:::f:::[name redacted]:
0:A48F5D9CFA503993:K::?::::
0:A48F5D9CFA503993:U:::f:::[name redacted]:
0:7275F28F74D467AF:K::?::::
0:7275F28F74D467AF:U:::f:::[name redacted]:
0:23EEBA5714B01357:K::?::::
0:23EEBA5714B01357:U:::f:::[name redacted]:
0:98287E704D305F57:K::?::::
0:98287E704D305F57:U:::f:::[name redacted]:
0:AD5B51CD0C88C947:K::?::::
0:AD5B51CD0C88C947:U:::f:::[name redacted]:
0:8D66066A2EEACCDA:K::?::
0:8D66066A2EEACCDA:U:::f:::[name redacted]:
0:8D66066A2EEACCDA:U:::f:::[name redacted]:
0:8D66066A2EEACCDA:U:::f:::[name redacted]:
0:980299FE86E0C051:K::?::::
0:980299FE86E0C051:U:::f:::[name redacted]:
0:53FBFFD98698B500:K::?::::
0:53FBFFD98698B500:U:::f:::[name redacted]:
0:2EC406E18B78EFDB:K::?::::
0:2EC406E18B78EFDB:U:::f:::[name redacted]:
0:5C5F1388EAD7C986:K::?::::
0:5C5F1388EAD7C986:U:::f:::[name redacted]:
0:EE041B27E9144D7F:K::?::::
0:EE041B27E9144D7F:U:::f:::[name redacted]:
0:CBE808C953D7EE6F:K::?::::
0:CBE808C953D7EE6F:U:::f:::[name redacted]:
0:C0146C99D0D5444E:K::?::::
0:C0146C99D0D5444E:U:::f:::[name redacted]:
0:06FEE0C5990C9A50:K::?::::
0:06FEE0C5990C9A50:U:::f:::[name redacted]:
0:FB5CE5B9E162C6EF:K::?::::
0:FB5CE5B9E162C6EF:U:::f:::[name redacted]:
0:4A7CC0785F0C1A75:K::?::::
0:4A7CC0785F0C1A75:U:::f:::[name redacted]:

Details

Version
GnuPG 2.3.4 and kleopatra=4:22.12.3-1 & GnuPG 2.2.44 and Kleopatra 3.1.24.221203 (22.12.3)

Event Timeline

Sorry, I don't understand your problem. Please explain what you did and what the (perceived) problem is. BTW, GnuPG 2.3.4 is a very old version.

werner renamed this task from Major Security Issue: Leak of User-ID via clipboard to Leak of User-ID via clipboard.Oct 30 2024, 8:31 AM
werner added projects: gnupg, kleopatra.

In the story of my life, you are a mythological figure.

I sent my friend an encrypted message. I am extremely fluent with GPG/PGP.

Doesn't matter that my Keys are ECC and his are RSA-4,096

He send me back the below.

What the below is are public keys of people I had copied, pasted into my notepad and imported.

He saw this leak in his log and let me know. Where it states [name redacted] would have been, for example, when I copied into buffer the public key of Werner Koch and it would have stated:

0:23EEBA5714B01357:U:::f:::Werner Koch

My keys:

Comment: Type: 255-bit EdDSA (secret key available)

Comment: Usage: Signing, Encryption, Certifying User-IDs, SSH Authentication

I am using Debian Stable
6.10.11-amd64
Kleopatra = 3.1.24.221203 (22.12.3)

Kleopatra states:
GnuPG 2.2.44
Libgcrypt 1.11.0

└──╼ $gpg --version 
gpg (GnuPG) 2.2.44
libgcrypt 1.11.0
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/name/.gnupg
Supported algorithms:
Pubkey: RSA (1), ELG (16), DSA (17), ECDH (18), ECDSA (19), EDDSA (22)
Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7),
        AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11),
        CAMELLIA192 (S12), CAMELLIA256 (S13)
Hash: SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10),
      SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2)

BLESS YOUR SOUL FOR YOUR LIFE'S WORK!

Oct 30, 2024, 07:31 by noreply@dev.gnupg.org:

View Task https://dev.gnupg.org/T7354
werner renamed this task from "Major Security Issue: Leak of User-ID via clipboard" to " Leak of User-ID via clipboard".
werner added projects: gnupg, kleopatra.

TASK DETAIL
https://dev.gnupg.org/T7354

EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/

To: > werner

Cc: > werner, marcel.proust, sergi, dscotese, andrey_l, Rafixmod, Fox, gp_ast

This is an automated email from the GnuPG development hub.If you have registered in the past at > https://bugs.gnupg.org/> youraccount was migrated automatically. You can visit > https://dev.gnupg.org/> toset a new password and update your email preferences.

This comment was removed by ebo.

"BTW, GnuPG 2.3.4 is a very old version."

  • I am using Debian Stable but have upgraded my GnuPG package.

└──╼ $uname -r
6.10.11-amd64

The 2.3.4 is the AppImage I keep as a backup for critical situations.
(gnupg-desktop-2.3.4-x86_64.AppImage)

bookworm (stable) https://packages.debian.org/bookworm/gnupg (utils): GNU privacy guard - a free PGP replacement
2.2.40-1.1: all
trixie (testing) https://packages.debian.org/trixie/gnupg (utils): GNU privacy guard - a free PGP replacement
2.2.44-1: all
sid (unstable) https://packages.debian.org/sid/gnupg (utils): GNU privacy guard - a free PGP replacement
2.2.45-1: all
experimental https://packages.debian.org/experimental/gnupg (utils): GNU privacy guard - a free PGP replacement
2.4.5-3: all

CPU:
  Info: 8-core model: Intel Core i9-10885H bits: 64 type: MT MCP
    arch: Comet Lake rev: 2 cache: L1: 512 KiB L2: 2 MiB L3: 16 MiB
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx

Info:
  Memory: total: 96 GiB note: est. available: 93.94 GiB used: 5.38 GiB (5.7%)

Packages: 4425 Compilers: clang: 14.0.6 gcc: 12.2.0 Shell: Bash v: 5.2.15
    inxi: 3.3.36

Oct 30, 2024, 06:43 by noreply@dev.gnupg.org:

View Task https://dev.gnupg.org/T7354
werner added a comment.

Sorry, I don't understand your problem. Please explain what you did and what the (perceived) problem is. BTW, GnuPG 2.3.4 is a very old version.

TASK DETAIL
https://dev.gnupg.org/T7354

EMAIL PREFERENCES
https://dev.gnupg.org/settings/panel/emailpreferences/

To: > werner

Cc: > werner, marcel.proust, Rafixmod, gp_ast

This is an automated email from the GnuPG development hub.If you have registered in the past at > https://bugs.gnupg.org/> youraccount was migrated automatically. You can visit > https://dev.gnupg.org/> toset a new password and update your email preferences.

I removed a duplicated comment above.
Please do not duplicate information (no top posting) and keep your descriptions short and to the point.

This is no proper bug report. The issue is not described in a comprehensible way.

I suggest you turn to the mailing list at https://lists.wald.intevation.org/mailman/listinfo/gpg4win-users-en/ or the forum at https://forum.gnupg.org to discuss whether this might be a bug. Please try for a better description of your issue there.

Hello @ebo

Why would I turn to the Windows mailing list when I am a Linux user?

Can you explain how a leak of user-IDs in Log Viewer is not a bug?

Someone had provided great advice but it got deleted.

I did not intend to duplicate the post. I wanted to reply to the comment about the AppImage I keep for emergencies as being old. Also I run Debian Stable which only has "old" packages but I have managed to bring it up to 2.44

Sorry, I've pasted the wrong link, I wanted to paste this one: https://lists.gnupg.org/mailman/listinfo/gnupg-users

We do not see how your friend could see your log. You do not write anything about how this comes about, exactly.
We would need info how to reproduce this.

And the only thing deleted in this thread was a duplicate of https://dev.gnupg.org/T7354#193101