Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-13050

Published: 29 June 2019

Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.

Notes

AuthorNote
mdeslaur
this is a weakness in the PGP keyserver design.
alexmurray
gnupg upstream has 2 mitigations for this - firstly, don't import key signatures by default anymore, and to fallback to only import self-signatures on very large keyblocks
mdeslaur
as of 2020-01-06, there is no ideal fix for this issue
marking this CVE as deferred until a complete fix is available
sbeattie
gnupg mitigations landed in upstream in 2.2.17 with important
fixes in 2.2.18
2.2.19-3ubuntu1 introduced a debian/ubuntu specific change to
use keys.openpgp.org as the default keyserver
any backports to address this issue will be complex and
introduce changes in behavior
sks in debian introduced very basic filtering in
1.1.6+git20210302.c3ba6d5a-1
rodrigo-zaiden
as of 2022-03-22, there is no upstream backport for
gnupg 1.4 series. Backporting from 2.2 is too risky.

Priority

Low

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
gnupg
Launchpad, Ubuntu, Debian
impish Does not exist

hirsute Does not exist

jammy Does not exist

xenial Deferred
(2022-03-22)
lunar Does not exist

bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

kinetic Does not exist

upstream Needs triage

mantic Does not exist

gnupg2
Launchpad, Ubuntu, Debian
hirsute Not vulnerable
(2.2.19-3ubuntu1)
jammy Not vulnerable
(2.2.19-3ubuntu1)
xenial Ignored
(change too intrusive)
lunar Not vulnerable
(2.2.19-3ubuntu1)
bionic
Released (2.2.4-1ubuntu1.5)
disco Ignored
(end of life)
eoan Ignored
(end of life)
focal Not vulnerable
(2.2.19-3ubuntu1)
groovy Not vulnerable
(2.2.19-3ubuntu1)
impish Not vulnerable
(2.2.19-3ubuntu1)
kinetic Not vulnerable
(2.2.19-3ubuntu1)
upstream
Released (2.2.17-3)
mantic Not vulnerable
(2.2.19-3ubuntu1)
Patches:
upstream: https://dev.gnupg.org/rG15a425a1dfe60bd976b17671aa8e3d9aed12e1c0
upstream: https://dev.gnupg.org/rGadb120e663fc5e78f714976c6e42ae233c1990b0
upstream: https://dev.gnupg.org/rGa1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800
upstream: https://dev.gnupg.org/rG2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6 (possibly problematic)
upstream: https://dev.gnupg.org/rGb6effaf4669b2c3707932e3c5f2f57df886d759e
upstream: https://dev.gnupg.org/rG3c2cf5ea952015a441ee5701c41dadc63be60d87
sks
Launchpad, Ubuntu, Debian
hirsute Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
xenial Deferred
(2020-01-06)
jammy Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
lunar Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
bionic Deferred
(2020-01-06)
cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Ignored
(end of life)
focal Deferred
(2020-01-06)
groovy Does not exist

impish Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
kinetic Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)
trusty Does not exist

upstream
Released (1.1.6+git20210302.c3ba6d5a-1)
mantic Not vulnerable
(1.1.6+git20210302.c3ba6d5a-1)

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H