Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87efc8kj92.fsf@fifthhorseman.net>
Date: Mon, 29 Oct 2018 08:52:25 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: Jakub Wilk <jwilk@...lk.net>, oss-security@...ts.openwall.com
Subject: Re: Re: Travis CI MITM RCE

On Sat 2018-10-27 16:54:46 +0200, Jakub Wilk wrote:
> My proposed fix was to use "gpg --recv-key" with full fingerprint. But I 
> now discovered that even this is not resistant against MitM attacks:
>
> https://dev.gnupg.org/T3398
>
> "[...] modern gpg automatically applies an import screener that only 
> accepts OpenPGP certificates that have the given fingerprint [...]

It may be even worse than this, because the version of gpg used by
default in travis is not "modern gpg", it's either gnupg2
2.0.22-3ubuntu1.4 or gnupg 1.4.16-1ubuntu2.6.  I don't think either of
these has the baseline "import screener" functionality, let alone a fix
for T3398 :(

    --dkg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.