Bug #17111

gpg updating (flooded) public keys in the background

Added by sajolida 2019-10-01 22:41:27 . Updated 2019-10-02 07:08:04 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Tails_4.0
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

Today I caught gpg checking for one of the flooded OpenPGP keys in the background.

I had been running at 100% CPU for more than 30 minutes before I killed it. Before that the same operation which killed my laptop by overheating a few hours earlier.

The command that I got from a ps listing was:

/usr/bin/gpg --charset utf-8 --display-charset utf-8 --no-auto-check-trustdb --no-emit-version --no-comments --display-charset utf-8 --keyserver-options no-auto-key-retrieve --batch --no-tty --no-verbose --status-fd 2 --keyserver hkp://jirk5u4osbsr34t5.onion:11371 --recv-keys EE8192A6E443D6D8

EE8192A6E443D6D8 is the key of Patrick Brunschwig <patrick@brunschwig.net> author of Enigmail and reported as floaded. See https://anarc.at/blog/2019-07-30-pgp-flooding-attacks/.

I definitely didn’t trigger this action myself.

Also note that some weeks ago, as gpg was doing some other extreme CPU operations (when checking the trust db), I rebuilt my keyring from scratch by importing all public and private keys manually again.

The version of EE8192A6E443D6D8 that I have in my keyring only has 1333 signatures so it’s not the flooded version.

gpg in Tails shouldn’t try to fetch possibly flooded keys in the background as it can lead to hardware damage and data loss.

Setting priority to Elevated as it is a regression with possibly harmful consequences.

Subtasks

History

#1 Updated by intrigeri 2019-10-02 07:08:04

  • Subject changed from gpg updating (floaded) public keys in the background to gpg updating (flooded) public keys in the background
  • Description updated
  • Status changed from Confirmed to Resolved
  • Target version set to Tails_4.0

The current builds from the devel branch, on which 4.0 will be based, include gnupg 2.2.12-1+deb10u1, whose NEWS.Debian reads:

  In this version we adopt GnuPG's upstream approach of making keyserver
  access default to self-sigs-only.  This defends against receiving
  flooded OpenPGP certificates.  To revert to the previous behavior (not
  recommended!), add the following directive to ~/.gnupg/gpg.conf:

    keyserver-options no-self-sigs-only

⇒ already fixed on the devel branch, thanks to upstream + dkg :)