Re: concerns about the security reliability of python-gnupg
On 2019-02-09 11:39:18, Elena ``of Valhalla'' wrote: > On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote: >> Hi, >> >> Recently, python-gnupg was triaged for maintenance in Debian LTS, which >> brought my attention to this little wrapper around GnuPG that I'm >> somewhat familiar with. >> >> Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch >> right now, with buster and sid marked as fixed, as you can see here: >> >> https://security-tracker.debian.org/tracker/source-package/python-gnupg > > sorry, my fault for missing the CVE when uploading the new upstream > version; I will prepare the fix for stable(-security) ASAP. No problem! :) > I don't care enough about LTS to learn its upload procedures, but if > somebody is interested in doing it I can backport the patch and push it > to git, for them to upload. I'm sure people in the LTS team (including myself) would be happy to carry that torch any way you prefer. We can perform as much or as little as you want in the process. >> I'm concerned about the security of this project in general. Even though >> that specific instance might be fixed, there are many more bad security >> practices used in this project. A fork was created by Isis Agora >> Lovecruft to fix those issues: >> >> https://github.com/isislovecruft/python-gnupg/ > > AFAIK that fork is dead upstream, and it's not compatible with Vinay > Sajip's version, so it can't be used to satisfy the dependency in other > packages Maybe so, but the security concerns raised are serious and should be addressed. I'm surprised to hear it's not backwards-compatible, however... That is certainly a concern if we'd want to switch upstreams, but that's not exactly what I was proposing... Isis renamed their package to "pretty bad protocol" anyways, which makes it clear it's not designed to be a drop-in replacement. >> [...] >> I suspect many such issues could be identified formally in the >> python-gnupg package. > > My experience with upstream is that they are quite good at reacting to > issues that are raised on their bugtracker (and I'm happy to forward > them there from the debian BTS). > > On the other hand, they don't maintain a LTS version, so the fix will > happen in the latest release, and while I'm confident that many patches > will be backportable there is no guarantee that *all* of them would be, > especially to the version in oldstable. I am especially concerned about backporting fixes Isis identified. Those are far-ranging vulnerabilities that require massive code refactoring. I doubt those would be meaningfully backportable. >> But maybe, instead, we should just mark it as unsupported in >> debian-security-support and move on. There are few packages depending on >> it, in jessie: >> [...] >> in buster: >> [...] > > I think this list is missing something, maybe the reverse dependencies > of python3-gnupg: I know that gajim-pgp depends on it (and is in turn > recommended by gajim) at least in buster; earlier versions used an old > embedded copy of the same library, so this isn't really a "new" > dependency. I guess that's why I missed it in jessie - there are no rdeps for the py3 version in jessie... I'm not sure what to do next here. I just felt it was important to outline possibly fundamental problems with this package that are not currently mapped in the CVE process. Maybe that shouldn't lead to any action on our part, but I wanted people here to be aware of those concerns. A. -- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin, 1755
Re: concerns about the security reliability of python-gnupg
On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote: > Hi, > > Recently, python-gnupg was triaged for maintenance in Debian LTS, which > brought my attention to this little wrapper around GnuPG that I'm > somewhat familiar with. > > Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch > right now, with buster and sid marked as fixed, as you can see here: > > https://security-tracker.debian.org/tracker/source-package/python-gnupg sorry, my fault for missing the CVE when uploading the new upstream version; I will prepare the fix for stable(-security) ASAP. I don't care enough about LTS to learn its upload procedures, but if somebody is interested in doing it I can backport the patch and push it to git, for them to upload. > I'm concerned about the security of this project in general. Even though > that specific instance might be fixed, there are many more bad security > practices used in this project. A fork was created by Isis Agora > Lovecruft to fix those issues: > > https://github.com/isislovecruft/python-gnupg/ AFAIK that fork is dead upstream, and it's not compatible with Vinay Sajip's version, so it can't be used to satisfy the dependency in other packages > [...] > I suspect many such issues could be identified formally in the > python-gnupg package. My experience with upstream is that they are quite good at reacting to issues that are raised on their bugtracker (and I'm happy to forward them there from the debian BTS). On the other hand, they don't maintain a LTS version, so the fix will happen in the latest release, and while I'm confident that many patches will be backportable there is no guarantee that *all* of them would be, especially to the version in oldstable. > But maybe, instead, we should just mark it as unsupported in > debian-security-support and move on. There are few packages depending on > it, in jessie: > [...] > in buster: > [...] I think this list is missing something, maybe the reverse dependencies of python3-gnupg: I know that gajim-pgp depends on it (and is in turn recommended by gajim) at least in buster; earlier versions used an old embedded copy of the same library, so this isn't really a "new" dependency. -- Elena ``of Valhalla'' signature.asc Description: PGP signature
Re: concerns about the security reliability of python-gnupg
On 2019-02-07 16:48:56, Holger Levsen wrote: > On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote: >> But maybe, instead, we should just mark it as unsupported in >> debian-security-support and move on. There are few packages depending on >> it, in jessie: > [...] >> in buster: >> Note that the list is (slowly) growing. > > marking it it unsupported in debian-security-support for jessie and > stretch might be the right step forward, but if if it's really as bad as > you describe, I think it should be kicked out of buster, instead of > carried on. That too. But I'd like to hear the maintainer's opinion before taking any more drastic measures. :) A. -- Les plus beaux chants sont les chants de revendications Le vers doit faire l'amour dans la tête des populations. À l'école de la poésie, on n'apprend pas: on se bat! - Léo Ferré, "Préface"
Re: concerns about the security reliability of python-gnupg
On Thu, Feb 07, 2019 at 11:44:45AM -0500, Antoine Beaupré wrote: > But maybe, instead, we should just mark it as unsupported in > debian-security-support and move on. There are few packages depending on > it, in jessie: [...] > in buster: > Note that the list is (slowly) growing. marking it it unsupported in debian-security-support for jessie and stretch might be the right step forward, but if if it's really as bad as you describe, I think it should be kicked out of buster, instead of carried on. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: concerns about the security reliability of python-gnupg
On 2019-02-07 11:44:45, Antoine Beaupré wrote: > https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html > https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/ Oops, that second link should have been: https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html A. -- Computer science is no more about computers than astronomy is about telescopes - E. Dijkstra
concerns about the security reliability of python-gnupg
Hi, Recently, python-gnupg was triaged for maintenance in Debian LTS, which brought my attention to this little wrapper around GnuPG that I'm somewhat familiar with. Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch right now, with buster and sid marked as fixed, as you can see here: https://security-tracker.debian.org/tracker/source-package/python-gnupg I'm concerned about the security of this project in general. Even though that specific instance might be fixed, there are many more bad security practices used in this project. A fork was created by Isis Agora Lovecruft to fix those issues: https://github.com/isislovecruft/python-gnupg/ Those patches were not merged back upstream, which is disputing isis' claims. The security issues found in the upstream package are partly documented here: https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html I am concerned that fixing only this specific CVE will give users a false sense of security, as many more similar issues might be lurking in the code. Having, myself, dealt with writing such a library (lesson learnt: don't do that), I can confirm it is very hard (if not impossible) to properly talk with GnuPG in a reasonable way. There is now a constant flow of vulnerabilities coming out that outline commonly made mistakes when trying to talk the line dialog with GnuPG. For example: https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/ I suspect many such issues could be identified formally in the python-gnupg package. But maybe, instead, we should just mark it as unsupported in debian-security-support and move on. There are few packages depending on it, in jessie: Reverse Depends: Dépend: hash-slinger Dépend: pyspread in stretch: Reverse Depends: Casse: gnupg (<< 0.3.8-3) Recommande: python-sleekxmpp Dépend: pyspread Dépend: hash-slinger Dépend: goopg Dépend: deken in buster: Reverse Depends: Casse: gnupg (<< 0.3.8-3) Dépend: hash-slinger Dépend: goopg Recommande: python-sleekxmpp Dépend: python-rosbag Dépend: pyspread Note that the list is (slowly) growing. What do people think? A. -- L'adversaire d'une vraie liberté est un désir excessif de sécurité. - Jean de la Fontaine