lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jun 2012 17:52:26 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Georgi Guninski <guninski@...inski.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Using second gpg keyring may be misleading?

What are you considering exploitable?  The untrusted/unverified "Master" key?

Timothy "Thor"  Mullen
www.hammerofgod.com
Thor's Microsoft Security Bible



-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Georgi Guninski
Sent: Thursday, June 14, 2012 7:18 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Using second gpg keyring may be misleading?

There is chance someone exploits this in apt-key...

Attached is a keyring and here is the output:

$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --check-sigs --keyring /tmp/sec3
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
/home/joro2/.gnupg/pubring.gpg
------------------------------
pub   4096R/3F272F5B 2007-11-09
uid                  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>
sig!3        3F272F5B 2007-11-09  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>

/tmp/sec3
---------
pub   1024R/B1C08810 2012-06-14
uid                  kkkkkkk5 <k@k>
sig!3        B1C08810 2012-06-14  [User ID not found]
sig!         3F272F5B 2012-06-14  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>
sig!         3F272F5B 2012-06-14  Ubuntu Archive Master Signing Key <ftpmaster@...ntu.com>
sub   1024R/0354AE88 2012-06-14
sig!         B1C08810 2012-06-14  [User ID not found]
sub   2179R/3F272F5B 2012-06-14
sig!         B1C08810 2012-06-14  [User ID not found]

1 signature not checked due to a missing key


$rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --no-default-keyring --check-sigs --keyring /tmp/sec3

gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
/tmp/sec3
---------
pub   1024R/B1C08810 2012-06-14
uid                  kkkkkkk5 <k@k>
sig!3        B1C08810 2012-06-14  kkkkkkk5 <k@k>
sig!         3F272F5B 2012-06-14  kkkkkkk5 <k@k>
sig!         3F272F5B 2012-06-14  kkkkkkk5 <k@k>
sub   1024R/0354AE88 2012-06-14
sig!         B1C08810 2012-06-14  kkkkkkk5 <k@k>
sub   2179R/3F272F5B 2012-06-14
sig!         B1C08810 2012-06-14  kkkkkkk5 <k@k>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists