Re: concerns about the security reliability of python-gnupg

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: valhalla@debian.org, team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: concerns about the security reliability of python-gnupg
From: Elena ``of Valhalla'' <valhalla@debian.org>
Date: Sat, 9 Feb 2019 11:39:18 +0100
Message-id: <[🔎] 20190209103913.e45eqo3gax5g33op@manillaroad.local.home.trueelena.org>
In-reply-to: <[🔎] 87r2cj4kg2.fsf@curie.anarc.at>
References: <[🔎] 87r2cj4kg2.fsf@curie.anarc.at>

On 2019-02-07 at 11:44:45 -0500, Antoine Beaupré wrote:
> Hi,
> 
> Recently, python-gnupg was triaged for maintenance in Debian LTS, which
> brought my attention to this little wrapper around GnuPG that I'm
> somewhat familiar with.
> 
> Debian is marked as "vulnerable" for CVE-2019-6690 in Jessie and Stretch
> right now, with buster and sid marked as fixed, as you can see here:
> 
> https://security-tracker.debian.org/tracker/source-package/python-gnupg

sorry, my fault for missing the CVE when uploading the new upstream
version; I will prepare the fix for stable(-security) ASAP.

I don't care enough about LTS to learn its upload procedures, but if
somebody is interested in doing it I can backport the patch and push it
to git, for them to upload.

> I'm concerned about the security of this project in general. Even though
> that specific instance might be fixed, there are many more bad security
> practices used in this project. A fork was created by Isis Agora
> Lovecruft to fix those issues:
> 
> https://github.com/isislovecruft/python-gnupg/

AFAIK that fork is dead upstream, and it's not compatible with Vinay
Sajip's version, so it can't be used to satisfy the dependency in other
packages

> [...]
> I suspect many such issues could be identified formally in the
> python-gnupg package.

My experience with upstream is that they are quite good at reacting to
issues that are raised on their bugtracker (and I'm happy to forward
them there from the debian BTS).

On the other hand, they don't maintain a LTS version, so the fix will
happen in the latest release, and while I'm confident that many patches
will be backportable there is no guarantee that *all* of them would be,
especially to the version in oldstable.

> But maybe, instead, we should just mark it as unsupported in
> debian-security-support and move on. There are few packages depending on
> it, in jessie:
> [...]
> in buster:
> [...]

I think this list is missing something, maybe the reverse dependencies
of python3-gnupg: I know that gajim-pgp depends on it (and is in turn
recommended by gajim) at least in buster; earlier versions used an old
embedded copy of the same library, so this isn't really a "new"
dependency.

-- 
Elena ``of Valhalla''

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: concerns about the security reliability of python-gnupg
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- concerns about the security reliability of python-gnupg
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: Bug#921663: Please add python-certbot update to jessie-backports
Next by Date: Re: Bug#921663: Please add python-certbot update to jessie-backports
Previous by thread: Re: concerns about the security reliability of python-gnupg
Next by thread: Re: concerns about the security reliability of python-gnupg
Index(es):
- Date
- Thread