CVE-2019-13050

Published: 29 June 2019

Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
gnupg
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Deferred
(2020-01-06)
Ubuntu 14.04 ESM (Trusty Tahr) Deferred
(2020-01-06)
gnupg2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Deferred
(2020-01-06)
Ubuntu 20.04 LTS (Focal Fossa) Deferred
(2020-01-06)
Ubuntu 18.04 LTS (Bionic Beaver) Deferred
(2020-01-06)
Ubuntu 16.04 LTS (Xenial Xerus) Deferred
(2020-01-06)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://dev.gnupg.org/rG15a425a1dfe60bd976b17671aa8e3d9aed12e1c0
Upstream: https://dev.gnupg.org/rGadb120e663fc5e78f714976c6e42ae233c1990b0
Upstream: https://dev.gnupg.org/rGa1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800
Upstream: https://dev.gnupg.org/rG2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6 (possibly problematic)
Upstream: https://dev.gnupg.org/rGb6effaf4669b2c3707932e3c5f2f57df886d759e
Upstream: https://dev.gnupg.org/rG3c2cf5ea952015a441ee5701c41dadc63be60d87
sks
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Deferred
(2020-01-06)
Ubuntu 18.04 LTS (Bionic Beaver) Deferred
(2020-01-06)
Ubuntu 16.04 LTS (Xenial Xerus) Deferred
(2020-01-06)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
mdeslaur
this is a weakness in the PGP keyserver design.
amurray
gnupg upstream has 2 mitigations for this - firstly, don't import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks
mdeslaur
as of 2020-01-06, there is no ideal fix for this issue
marking this CVE as deferred until a complete fix is available

References

Bugs