Page MenuHome GnuPG
Files F19742005

No OneTemporary
Actions

View Options

diff --git a/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org b/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org
index ea1a406..8da9251 100644
--- a/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org
+++ b/misc/blog.gnupg.org/20221017-pepe-left-the-ksba.org
@@ -1,158 +1,171 @@
#+STARTUP: showall
#+OPTIONS: ^:{} num:nil toc:nil
#+STARTUP: showall
#+AUTHOR: g10 Code GmbH
-#+DATE: 2022-10-17
+#+DATE: 2022-10-17 (updated 2022-12-20)
#+TITLE: Security Advisory for Libksba/GnuPG (CVE-2022-3515)
#+html: <div class="urgent"><p>Security Advisory for Libksba / GnuPG</p></div>
#+Latex: \enlargethispage{2cm}
** Integer Overflow in LibKSBA / GnuPG
A severe bug has been found in [[https://gnupg.org/software/libksba/][Libksba]] , the library used by GnuPG for
parsing the ASN.1 structures as used by S/MIME. The bug affects all
-versions of [[https://gnupg.org/software/libksba/][Libksba]] before 1.6.2 and may be used for remote code
+versions of [[https://gnupg.org/software/libksba/][Libksba]] before 1.6.3 and may be used for remote code
execution. *Updating this library is thus important*.
*** Who is affected
The major user of [[https://gnupg.org/software/libksba/][Libksba]] is /gpgsm/, the S/MIME cousin of /gpg/.
There it is used to parse all kind of input data, in particular signed
or encrypted data in files or in mails. Feeding a user with malicious
data can thus be easily achieved.
A second user of [[https://gnupg.org/software/libksba/][Libksba]] is /dirmngr/, which is responsible for loading
and parsing Certificate Revocation Lists (CRLs) and for verifying
certificates used by TLS (i.e. https connections). Mounting an attack
is a bit more complex but can anyway be easily done using a rogue web
server to serve a Web Key Directory, certificates, or CRLs.
An exploit is not yet publicly known but very straightforward to create
for experienced crooks.
Affected to our knowledge are:
-- Most software using /Libksba/ versions up to 1.6.1
+- Most software using /Libksba/ versions up to 1.6.2
-- All /Gpg4win/ versions from version 2.0.0 up to 4.0.3
+- All /Gpg4win/ versions from version 2.0.0 up to 4.0.4
-- All /GnuPG VS-Desktop^{\reg}/ versions from 3.1.16 up to 3.1.24
+- All /GnuPG VS-Desktop^{\reg}/ versions from 3.1.16 up to 3.1.25
-- All /GnuPG installers for Windows/ from version 2.3.0 up to 2.3.7
+- All /GnuPG installers for Windows/ from version 2.3.0 up to 2.3.8
-- All /GnuPG LTS installers for Windows/ from version 2.1.0 up to 2.2.39
+- All /GnuPG LTS installers for Windows/ from version 2.1.0 up to 2.2.40
*** How to fix
If you are on a Unix or Linux system you should get the latest version
-of Libksba (1.6.2 or newer), build the software and install the new
+of Libksba (1.6.3 or newer), build the software and install the new
shared library. Restart any background processes (e.g. =gpgconf
--kill all= for GnuPG). In the rare case that Libksba is statically
linked remember to rebuild those binaries.
If your are on Windows or if you use an AppImage of GnuPG VS-Desktop
update to the latest version:
-- Gpgwin version 4.0.4 or newer
-- GnuPG VS-Desktop version 3.1.25 or newer (MSI or AppImage)
-- GnuPG installer for Windows version 2.3.8
-- GnuPG LTS installer for Windows version 2.2.40
+- Gpgwin version 4.1.0 or newer
+- GnuPG VS-Desktop version 3.1.26 or newer (MSI or AppImage)
+- GnuPG installer for Windows version 2.4.0
+- GnuPG LTS installer for Windows version 2.2.41
In case you are not yet ready to deploy a new version, please extract
=libksba-8.dll= from the respective package and replace the
original one by this one. This is sufficient to fix the security
issue.
*** How to check whether GnuPG has been fixed
GnuPG is the most prominent user of Libksba and it is not immediately
visible whether a fixed version of Libksba is used. To check this run:
: gpgconf --show-versions
and watch out for a line like
-: * KSBA 1.6.2 (xxxxx)
+: * KSBA 1.6.3 (xxxxx)
-If you see a version number of 1.6.2 or newer, you got the fix.
+If you see a version number of 1.6.3 or newer, you got the fix.
*** CVE
- GnuPG-bug-id :: 6230 (https://dev.gnupg.org/T6230)
- CVE :: CVE-2022-3515
- CVSS :: 8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Other-IDs :: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18927
CVSS taken from the Trend Micro Zero Day Initiative report.
** Technical background
The task of Libksba is to parse and build ASN.1 objects as used by
S/MIME, X.509, and CMS. The used encoding (BER, DER) is based on
tag-length-value objects. The function /_ksba_ber_read_tl/ parses
such data and returns the tag and associated information in this
structure:
#+begin_src C
struct tag_info {
enum tag_class class;
int is_constructed;
unsigned long tag;
unsigned long length; /* Length part of the TLV */
int ndef; /* It is an indefinite length */
size_t nhdr; /* Number of bytes in the TL */
unsigned char buf[10]; /* Buffer for the TL */
const char *err_string;
int non_der;
};
#+end_src
At several places we need to copy the objects to a local buffer. For
example we copy OIDs to a statically encoded buffer for further
processing:
#+begin_src C
struct tag_info ti;
unsigned char tmpbuf[500]; /* for OID or algorithmIdentifier */
[...]
if (ti.nhdr + ti.length >= DIM(tmpbuf))
return gpg_error (GPG_ERR_TOO_LARGE);
memcpy (tmpbuf, ti.buf, ti.nhdr);
err = read_buffer (crl->reader, tmpbuf+ti.nhdr, ti.length);
#+end_src
It is obvious that the sum of the header length (although less than 10
bytes) and the announced length of the value can easily wrap around
and pass the check. The result is then an overflow of /tmpbuf/ with
all the usual consequences. The code has been there for ages and it
seems that the audits missed this because, well, there is some
overflow check and a too brief check may have only noticed that the
memcpy if fine.
#+LaTeX: \newpage
The fix for this is easy because we can check for an overflow right
away in the parser. Thus /_ksba_ber_read_tl/ finally does this
extra check:
#+begin_src C
if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
{
ti->err_string = "header+length would overflow";
return gpg_error (GPG_ERR_EOVERFLOW);
}
#+end_src
-
*** Thanks
This vulnerability was discovered by:\\
-Anonymous working with Trend Micro Zero Day Initiative
+Anonymous working with Trend Micro Zero Day Initiative\\
+The second vulnerability was discovered by:\\
+Joseph Surin of elttam
+
The report was received on 2022-10-04, fix pushed 2022-10-05, new
source code release 2002-10-07, binary releases and announcement on
-2022-10-17.
+2022-10-17. Report on the second problem was received on 2022-11-22,
+and fixed on the next day. We agreed with the reported to delay
+publication for up to 5 weeks to catch any other reports and to give
+us time for a coordinated release of all affected software. The fix
+was published to customers on 2022-12-16, general publication on
+2022-12-20.
+
+*** Update on 2022-12-19
+
+It turned out that a related bug exists in the code to parse CRL
+signatures which was not fixed by Libksba 1.6.2. This update has
+changed the affected version numbers and the timeline.
diff --git a/web/download/index.org b/web/download/index.org
index ec0d627..1a63a9a 100644
--- a/web/download/index.org
+++ b/web/download/index.org
@@ -1,149 +1,149 @@
#+TITLE: GnuPG - Download
#+STARTUP: showall align
#+SETUPFILE: "../share/setup.inc"
#+GPGWEB-NEED-SWDB
#+OPTIONS: ^:{}
#+macro: check_sig_note GnuPG distributions are signed. It is wise and more secure to check out for their [[integrity_check.org][@@html:<a href="integrity_check.html">@@integrity@@html:</a>@@]].
#+macro: ftpopen @@html:<a href="@@
#+macro: ftpclose @@html:">download</a>@@
#+macro: ftpcloseS @@html:">sig</a>@@
* Download
#+index: GnuPG!download
Note that you may also download the GNU Privacy Guard from a mirror
site close to you. See our [[file:mirrors.org][list of mirrors]]. The table below
provides links to the location of the files on the primary server
only.
** Source code releases
These are the canonical release forms of GnuPG. To use them you
need to build the binary version from the provided source code.
For Unix systems this is the standard way of installing software.
For GNU/Linux distributions are commonly used (e.g. Debian, Fedora,
RedHat, or Ubuntu) which may already come with a directly
installable packages. However, these version may be older so that
building from the source is often also a good choice. Some
knowledge on how to compile and install software is required.
The table lists the different GnuPG packages, followed by required
libraries, required tools, optional software, and legacy versions
of GnuPG. For end-of-life dates see further down.
| Name | Version | Date | Size | Tarball | Signature |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| | <l> | | <r> | | |
| [[../software/index.org][GnuPG]] | {{{gnupg24_ver}}} | {{{gnupg24_date}}} | {{{gnupg24_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg24_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/index.org][GnuPG]] (LTS) | {{{gnupg22_ver}}} | {{{gnupg22_date}}} | {{{gnupg22_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg22_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg22_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| GnuPG Desktop | {{{gnupgdesk_ver}}} | {{{gnupgdesk_date}}} | {{{gnupgdesk_src_size}}} | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}.tar.xz{{{ftpclose}}} | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}.tar.xz.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| [[../software/libgpg-error/index.org][Libgpg-error]] | {{{libgpg_error_ver}}} | {{{libgpg_error_date}}} | {{{libgpg_error_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgpg-error/libgpg-error-{{{libgpg_error_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgpg-error/libgpg-error-{{{libgpg_error_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libgcrypt/index.org][Libgcrypt]] | {{{libgcrypt_ver}}} | {{{libgcrypt_date}}} | {{{libgcrypt_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libgcrypt/index.org][Libgcrypt]] (LTS) | {{{libgcrypt18_ver}}} | {{{libgcrypt18_date}}} | {{{libgcrypt18_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt18_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libgcrypt/libgcrypt-{{{libgcrypt18_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libksba/index.org][Libksba]] | {{{libksba_ver}}} | {{{libksba_date}}} | {{{libksba_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libksba/libksba-{{{libksba_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libksba/libksba-{{{libksba_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/libassuan/index.org][Libassuan]] | {{{libassuan_ver}}} | {{{libassuan_date}}} | {{{libassuan_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libassuan/libassuan-{{{libassuan_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/libassuan/libassuan-{{{libassuan_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/ntbtls/index.org][ntbTLS]] | {{{ntbtls_ver}}} | {{{ntbtls_date}}} | {{{ntbtls_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/ntbtls/ntbtls-{{{ntbtls_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/ntbtls/ntbtls-{{{ntbtls_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/npth/index.org][nPth]] | {{{npth_ver}}} | {{{npth_date}}} | {{{npth_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/npth/npth-{{{npth_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/npth/npth-{{{npth_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| Pinentry | {{{pinentry_ver}}} | {{{pinentry_date}}} | {{{pinentry_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/pinentry/pinentry-{{{pinentry_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/pinentry/pinentry-{{{pinentry_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
| [[../software/gpgme/index.org][GPGME]] | {{{gpgme_ver}}} | {{{gpgme_date}}} | {{{gpgme_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpgme/gpgme-{{{gpgme_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpgme/gpgme-{{{gpgme_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| [[../software/scute/index.org][Scute]] | {{{scute_ver}}} | {{{scute_date}}} | {{{scute_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/scute/scute-{{{scute_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/scute/scute-{{{scute_ver}}}.tar.bz2.sig{{{ftpclose}}} |
- | [[../software/gpa/index.org][GPA]] | {{{gpa_ver}}} | {{{gpa_date}}} | {{{gpa_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpa/gpa-{{{gpa_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpa/gpa-{{{gpa_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
+ | [[../software/gpa/index.org][GPA]] | {{{gpa_ver}}} | {{{gpa_date}}} | {{{gpa_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpa/gpa-{{{gpa_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gpa/gpa-{{{gpa_ver}}}.tar.bz2.sig{{{ftpclose}}} |
| GnuPG 1.4 | {{{gnupg1_ver}}} | {{{gnupg1_date}}} | {{{gnupg1_size}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg1_ver}}}.tar.bz2{{{ftpclose}}} | {{{ftpopen}}}{{{ftp_loc_base}}}/gnupg/gnupg-{{{gnupg1_ver}}}.tar.bz2.sig{{{ftpclose}}} |
|-----------------+------------------------+-------------------------+--------------------------+--------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------|
{{{check_sig_note}}}
Remarks:
- /GnuPG Desktop^{\reg}/ is an AppImage for Linux featuring the
current GnuPG version and Kleopatra, its advanced graphical user
interface. This is only the source code; for the actual AppImage
see below. This AppImage can be used on almost all 64bit x86
Linux versions.
- /Pinentry/ is a collection of passphrase entry dialogs which is
required for almost all usages of GnuPG.
- /GPGME/ is the standard library to access GnuPG functions from
programming languages.
- /Scute/ is a PKCS#11 provider on top of GnuPG.
- /GPA/ is a graphical frontend to GnuPG.
- /GnuPG 1.4/ is the old, single binary version which still support
the unsafe PGP-2 keys. This branch has no dependencies on the
above listed libraries or the Pinentry. However, it lacks many
modern features and will receive only important updates.
** GnuPG binary releases
:PROPERTIES:
:CUSTOM_ID: binary
:END:
#+index: Binaries!download
In general we do not distribute binary releases but leave that to
the common Linux distributions. However, for some operating
systems we list pointers to readily installable releases. We
cannot guarantee that the versions offered there are current. Note
also that some of them apply security patches on top of the
standard versions but keep the original version number.
| OS | Where | Description |
|---------+--------------------+----------------------------------------------------------|
| | <18> | |
- | Linux | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage{{{ftpclose}}} {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage.sig{{{ftpcloseS}}} | /GnuPG Desktop^{\reg}/ AppImage with the current /GnuPG/ |
+ | Linux | {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage{{{ftpclose}}} {{{ftpopen}}}{{{gpgcom_base}}}/gnupg/gnupg-desktop-{{{gnupgdesk_ver}}}-x86_64.AppImage.sig{{{ftpcloseS}}} | /GnuPG Desktop^{\reg}/ AppImage with the current /GnuPG/ |
| Windows | [[https://gpg4win.org/download.html][Gpg4win]] | Full featured Windows version of /GnuPG/ |
| | {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32-{{{gnupg24_w32_ver}}}.exe{{{ftpclose}}} {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32-{{{gnupg24_w32_ver}}}.exe.sig{{{ftpcloseS}}} | Simple installer for the current /GnuPG/ |
| | {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32cli-{{{gnupg1_w32cli_ver}}}.exe{{{ftpclose}}} {{{ftpopen}}}{{{ftp_loc_base}}}/binary/gnupg-w32cli-{{{gnupg1_w32cli_ver}}}.exe.sig{{{ftpcloseS}}} | Simple installer for /GnuPG 1.4/ |
| OS X | [[https://gpgtools.org][Mac GPG]] | Installer from the gpgtools project |
| | [[https://sourceforge.net/p/gpgosx/docu/Download/][GnuPG for OS X]] | Installer for /GnuPG/ |
| Debian | [[https://www.debian.org][Debian site]] | GnuPG is part of Debian |
| RPM | [[http://rpmfind.net/][rpmfind]] | RPM packages for different OS |
| Android | [[https://guardianproject.info/code/gnupg/][Guardian project]] | Provides a GnuPG framework |
| VMS | [[http://www.antinode.info/dec/sw/gnupg.html][antinode.info]] | A port of GnuPG 1.4 to OpenVMS |
| RISC OS | [[http://www.sbellon.de/gnupg.html][home page]] | A port of GnuPG to RISC OS |
|---------+--------------------+----------------------------------------------------------|
** End-of-life announcements
:PROPERTIES:
:CUSTOM_ID: end-of-life
:END:
We announce the end-of-life date for a current stable version at
the time a new stable version is released. We maintain old
- branches for at least two years. For GnuPG 2.2 we consider 2.1.0
- as the birth of this new stable branch. For most other packages we
- don't maintain branches and thus there is no end-of-life; always
+ branches for at least two years. For GnuPG 2.4 (2.2) we consider
+ 2.3.0 (2.1.0) as the birth of the branch. For most other packages
+ we don't maintain branches and thus there is no end-of-life; always
use the latest version.
| Package | Ver. | End-of-life | Birth |
|-----------+-------+----------------+------------|
| | <l> | <l> | <l> |
| GnuPG | +1.0+ | 2002-09-07 | 1999-09-07 |
| | +1.2+ | 2005-01-01 | 2002-09-21 |
| | 1.4 | none (2) | 2004-12-16 |
| | +2.0+ | 2017-12-31 | 2006-11-11 |
| | 2.2 | 2024-12-31 (1) | 2014-11-06 |
- | | 2.3 | tba | 2021-04-07 |
+ | | 2.4 | tba | 2021-04-07 |
| Libgcrypt | +1.5+ | 2016-12-31 | 2011-06-29 |
| | +1.6+ | 2017-06-30 | 2013-12-16 |
| | +1.7+ | 2019-06-30 | 2016-04-15 |
| | 1.8 | 2024-12-31 (1) | 2017-07-18 |
| | 1.9 | 2024-03-31 | 2021-01-19 |
| | 1.10 | tba | 2022-02-01 |
- /(1)/: Long Term Support; eol date likely to be prolonged
- /(2)/: Legacy version; see remarks above.
- /tba/: To be announced.
# eof #

File Metadata

Mime Type
text/x-diff
Expires
Sat, Feb 1, 9:33 AM (1 d, 13 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
57/3e/63436f0b1f05cf20b44fb1c18648

Event Timeline