concerns about the security reliability of python-gnupg

To: valhalla@debian.org
Cc: team@security.debian.org, debian-lts@lists.debian.org
Subject: concerns about the security reliability of python-gnupg
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 07 Feb 2019 11:44:45 -0500
Message-id: <[🔎] 87r2cj4kg2.fsf@curie.anarc.at>

Hi,

Recently, python-gnupg was triaged for maintenance in Debian LTS, which
brought my attention to this little wrapper around GnuPG that I'm
somewhat familiar with.

Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
right now, with buster and sid marked as fixed, as you can see here:

https://security-tracker.debian.org/tracker/source-package/python-gnupg

I'm concerned about the security of this project in general. Even though
that specific instance might be fixed, there are many more bad security
practices used in this project. A fork was created by Isis Agora
Lovecruft to fix those issues:

https://github.com/isislovecruft/python-gnupg/

Those patches were not merged back upstream, which is disputing isis'
claims. The security issues found in the upstream package are partly
documented here:

https://blog.patternsinthevoid.net/pretty-bad-protocolpeople.html

I am concerned that fixing only this specific CVE will give users a
false sense of security, as many more similar issues might be lurking in
the code. Having, myself, dealt with writing such a library (lesson
learnt: don't do that), I can confirm it is very hard (if not
impossible) to properly talk with GnuPG in a reasonable way. There is
now a constant flow of vulnerabilities coming out that outline commonly
made mistakes when trying to talk the line dialog with GnuPG. For
example:

https://dev.gentoo.org/~mgorny/articles/evolution-uid-trust-extrapolation.html
https://blogs.gentoo.org/mgorny/2019/01/29/identity-with-openpgp-trust-model/

I suspect many such issues could be identified formally in the
python-gnupg package.

But maybe, instead, we should just mark it as unsupported in
debian-security-support and move on. There are few packages depending on
it, in jessie:

Reverse Depends:
  Dépend: hash-slinger
  Dépend: pyspread

in stretch:

Reverse Depends:
  Casse: gnupg (<< 0.3.8-3)
  Recommande: python-sleekxmpp
  Dépend: pyspread
  Dépend: hash-slinger
  Dépend: goopg
  Dépend: deken

in buster:

Reverse Depends:
  Casse: gnupg (<< 0.3.8-3)
  Dépend: hash-slinger
  Dépend: goopg
  Recommande: python-sleekxmpp
  Dépend: python-rosbag
  Dépend: pyspread

Note that the list is (slowly) growing.

What do people think?

A.

-- 
L'adversaire d'une vraie liberté est un désir excessif de sécurité.
                        - Jean de la Fontaine

Reply to:

Follow-Ups:
- Re: concerns about the security reliability of python-gnupg
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: concerns about the security reliability of python-gnupg
  - From: Holger Levsen <holger@layer-acht.org>
- Re: concerns about the security reliability of python-gnupg
  - From: Elena ``of Valhalla'' <valhalla@debian.org>

Prev by Date: (when?) do we (still) contact maintainers?
Next by Date: Re: concerns about the security reliability of python-gnupg
Previous by thread: Re: (when?) do we (still) contact maintainers?
Next by thread: Re: concerns about the security reliability of python-gnupg
Index(es):
- Date
- Thread