/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enigmail 2.0.7 breaks split GPG #3989

Closed
micahflee opened this Issue Jun 13, 2018 · 23 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0 updates
6 participants
@micahflee @marmarek @mfc @qubesos-bot @mossy-nw @andrewdavidwong
@micahflee

micahflee commented Jun 13, 2018

Qubes OS version:

R4.0

Affected component(s):

qubes-gpg-split 2.0.30

Steps to reproduce the behavior:

Using Thunderbird and Enigmail configured to use Split GPG, do normal PGP operations like try sending an encrypted email, or try decrypting an email.

Expected behavior:

They should work.

Actual behavior:

They fail because qubes-gpg-client doesn't recognize the argument --log-file, which is now used in most Enigmail commands.

General notes:

Enigmail 2.0.7, which fixes a security issue, was released today. As part of the fix, it now adds --log-file to the gpg calls that it makes. qubes-gpg-client doesn't pass this option on to the gpgvm and instead fails with an error.

When I was troubleshooting this, I used the Enigmail console to discover my client tried running this command when I tried sending a signed, encrypted email to myself:

/usr/bin/qubes-gpg-client-wrapper --charset utf-8 --display-charset utf-8 --no-auto-check-trustdb --batch --no-tty --no-verbose --status-fd 2 --log-file /tmp/gpgOutput.ln9Jcr -a -t --encrypt --sign --trust-model always --encrypt-to 0x927F419D7EC82C2F149C1BD1403C2657CD994F73 -r 0x403C2657CD994F73 -u 0x927F419D7EC82C2F149C1BD1403C2657CD994F73

When I run it manually in a terminal, I get this output:

qubes-gpg-client: unrecognized option '--log-file'
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 13, 2018

Member

Do you see anything wrong with ignoring --log-file option (at qubes-gpg-client-wrapper level)? Allowing it as-is would be obviously wrong, because that would allow creating (or maybe even overriding) arbitrary file in the backend VM. But not sure if worth the effort to pass it back to frontend domain (if you want, you can always setup logging in gpg.conf in the backend VM).
The question here is - would that break enigmail? Could you check that?
Member

marmarek commented Jun 13, 2018

Do you see anything wrong with ignoring --log-file option (at qubes-gpg-client-wrapper level)? Allowing it as-is would be obviously wrong, because that would allow creating (or maybe even overriding) arbitrary file in the backend VM. But not sure if worth the effort to pass it back to frontend domain (if you want, you can always setup logging in gpg.conf in the backend VM).
The question here is - would that break enigmail? Could you check that?
@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee Jun 13, 2018

I'm not sure. I don't see a reason to need the gpg logs, but it's possible Enigmail might try to open that file it's writing to later. I'll try to find out.

Update: I've posted to the enigmail mailing list asking: https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-June/005070.html

micahflee commented Jun 13, 2018
edited
Edited 1 time
  • @micahflee micahflee edited Jun 13, 2018 (most recent)
  • @micahflee micahflee created Jun 13, 2018

I'm not sure. I don't see a reason to need the gpg logs, but it's possible Enigmail might try to open that file it's writing to later. I'll try to find out.

Update: I've posted to the enigmail mailing list asking: https://admin.hostpoint.ch/pipermail/enigmail-users_enigmail.net/2018-June/005070.html

@andrewdavidwong andrewdavidwong added bug C: other labels Jun 14, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Jun 14, 2018

@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee Jun 14, 2018

Patrick from the Enigmail project responded with this:

From what we know currently it seems OK to drop the --log-file argument.

However, the problem behind is that without --log-file, you get a
mixture of human-readable and machine-parseable output on stderr. You
cannot be sure that there is no other way to trick gpg into printing
human-readable output that looks like machine-parseable, and thus make
Enigmail think the message is signed/encrypted whatever.

I therefore recommend you change --log-file XXX to --log-file /dev/null.
This should be OK for Enigmail and equally prevent from such attacks.

Werner Koch from GnuPG also added that just adding --no-verbose will also prevent the mixture of human-readable and machine-parsable output, and apparently Enigmails gpg calls now also all include that flag anyway.

So, I think qubes-gpg-client can replace --log-file XXX with --log-file /dev/null and that should fix it.

micahflee commented Jun 14, 2018

Patrick from the Enigmail project responded with this:

From what we know currently it seems OK to drop the --log-file argument.

However, the problem behind is that without --log-file, you get a
mixture of human-readable and machine-parseable output on stderr. You
cannot be sure that there is no other way to trick gpg into printing
human-readable output that looks like machine-parseable, and thus make
Enigmail think the message is signed/encrypted whatever.

I therefore recommend you change --log-file XXX to --log-file /dev/null.
This should be OK for Enigmail and equally prevent from such attacks.

Werner Koch from GnuPG also added that just adding --no-verbose will also prevent the mixture of human-readable and machine-parsable output, and apparently Enigmails gpg calls now also all include that flag anyway.

So, I think qubes-gpg-client can replace --log-file XXX with --log-file /dev/null and that should fix it.
@mfc

This comment has been minimized.

Show comment
Hide comment
@mfc

mfc Jun 18, 2018

Member

So, I think qubes-gpg-client can replace --log-file XXX with --log-file /dev/null and that should fix it.

I just wanted to bump this as this bug breaks split-gpg and the Enigmail update contains important security updates as Micah mentioned, so downgrading is not a good pathway for users.
Member

mfc commented Jun 18, 2018

So, I think qubes-gpg-client can replace --log-file XXX with --log-file /dev/null and that should fix it.

I just wanted to bump this as this bug breaks split-gpg and the Enigmail update contains important security updates as Micah mentioned, so downgrading is not a good pathway for users.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jun 18, 2018

Member

So, I think qubes-gpg-client can replace --log-file XXX with --log-file /dev/null and that should fix it.

This alone isn't enough, the server side would need to accept it. And accepting --log-file option looks dangerous, even with fixed argument. IMO better ignore it completely. Or replace with --no-verbose as suggested elsewhere? There is also an option to support --logger-fd, which is IMO safer in this use case, it should be even possible to emulate --log-file with --logger-fd at qubes-gpg-client-wrapper level.
Member

marmarek commented Jun 18, 2018

So, I think qubes-gpg-client can replace --log-file XXX with --log-file /dev/null and that should fix it.

This alone isn't enough, the server side would need to accept it. And accepting --log-file option looks dangerous, even with fixed argument. IMO better ignore it completely. Or replace with --no-verbose as suggested elsewhere? There is also an option to support --logger-fd, which is IMO safer in this use case, it should be even possible to emulate --log-file with --logger-fd at qubes-gpg-client-wrapper level.
@micahflee

This comment has been minimized.

Show comment
Hide comment
@micahflee

micahflee Jun 18, 2018

Ignoring --log-file completely should work as well. I don't full understand the mitigation to the vulnerability, but as described in the mailing list, either setting --log-file or setting --no-verbose should resolve the underlying bug. And as part of this patch, Enigmail now also adds --no-verbose to all commands, so we should be good to just do that.

Also, I believe this Enigmail patch will stop this vuln from working even if the version of gpg is still vulnerable, however GnuPG also released their own patch. So another way to make it not exploitable (I think) is to just upgrade GnuPG.

micahflee commented Jun 18, 2018

Ignoring --log-file completely should work as well. I don't full understand the mitigation to the vulnerability, but as described in the mailing list, either setting --log-file or setting --no-verbose should resolve the underlying bug. And as part of this patch, Enigmail now also adds --no-verbose to all commands, so we should be good to just do that.

Also, I believe this Enigmail patch will stop this vuln from working even if the version of gpg is still vulnerable, however GnuPG also released their own patch. So another way to make it not exploitable (I think) is to just upgrade GnuPG.

marmarek added a commit to marmarek/qubes-app-linux-split-gpg that referenced this issue Jun 18, 2018

@marmarek
Allow --logger-fd option 
Appropriate handling for data passing was already added in gpg-common.c
before.
This will be used to emulate --log-file option with client-side file.

QubesOS/qubes-issues#3989
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
08f0c09

@marmarek marmarek closed this in marmarek/qubes-app-linux-split-gpg@6606217 Jun 18, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc23 has been pushed to the r3.2 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc23 has been pushed to the r3.2 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r3.2-dom0-cur-test label Jun 18, 2018

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Jun 18, 2018

Closed

app-linux-split-gpg v2.0.31 (r3.2) #559

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-dom0-cur-test label Jun 18, 2018

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Jun 18, 2018

Closed

app-linux-split-gpg v2.0.31 (r4.0) #560

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The package app-linux-split-gpg has been pushed to the r3.2 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The package app-linux-split-gpg has been pushed to the r3.2 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-centos7-cur-test r4.0-buster-cur-test r4.0-jessie-cur-test labels Jun 18, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The package app-linux-split-gpg has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The package app-linux-split-gpg has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-buster-cur-test r4.0-centos7-cur-test labels Jun 18, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-stretch-cur-test r3.2-jessie-cur-test labels Jun 18, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r3.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r3.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-stretch-cur-test r3.2-fc25-cur-test labels Jun 18, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r3.2 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r3.2 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-fc26-cur-test r3.2-fc27-cur-test r3.2-fc28-cur-test labels Jun 18, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 18, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r4.0 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jun 18, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r4.0 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc26-cur-test r4.0-fc27-cur-test r4.0-fc28-cur-test labels Jun 18, 2018

@mossy-nw

This comment has been minimized.

Show comment
Hide comment
@mossy-nw

mossy-nw Jun 19, 2018

Thanks @micahflee @marmarek for being on top of this. It didn't work right away, but perhaps after a few qube and system restarts it seems to be working great for me on fedora-28 templates.

Thx again!

mossy-nw commented Jun 19, 2018
edited
Edited 1 time
  • @mossy-nw mossy-nw edited Jun 19, 2018 (most recent)
  • @mossy-nw mossy-nw created Jun 19, 2018

Thanks @micahflee @marmarek for being on top of this. It didn't work right away, but perhaps after a few qube and system restarts it seems to be working great for me on fedora-28 templates.

Thx again!

@qubesos-bot qubesos-bot added the r4.0-centos7-stable label Jun 29, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 29, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Jun 29, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc26-stable r4.0-fc27-stable r4.0-fc28-stable r3.2-fc25-stable and removed r4.0-fc26-cur-test r4.0-fc27-cur-test r4.0-fc28-cur-test r3.2-fc25-cur-test labels Jun 29, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 29, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r3.2 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Jun 29, 2018

Automated announcement from builder-github

The component app-linux-split-gpg (including package qubes-gpg-split-2.0.31-1.fc26) has been pushed to the r3.2 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-fc26-stable r3.2-fc27-stable r3.2-fc28-stable r3.2-buster-stable r3.2-jessie-stable and removed r3.2-fc26-cur-test r3.2-fc27-cur-test r3.2-fc28-cur-test r3.2-buster-cur-test r3.2-jessie-cur-test labels Jun 29, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r3.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r3.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-stretch-stable r4.0-buster-stable r4.0-jessie-stable and removed r3.2-stretch-cur-test r4.0-buster-cur-test r4.0-jessie-cur-test labels Jun 29, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split_2.0.31-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-stretch-stable and removed r4.0-stretch-cur-test labels Jun 29, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 29, 2018

Automated announcement from builder-github

The package app-linux-split-gpg has been pushed to the r3.2 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Jun 29, 2018

Automated announcement from builder-github

The package app-linux-split-gpg has been pushed to the r3.2 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-centos7-stable and removed r3.2-centos7-cur-test labels Jun 29, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc23 has been pushed to the r3.2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

qubesos-bot commented Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc23 has been pushed to the r3.2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-dom0-stable and removed r3.2-dom0-cur-test labels Jun 29, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

qubesos-bot commented Jun 29, 2018

Automated announcement from builder-github

The package qubes-gpg-split-dom0-2.0.31-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-dom0-stable and removed r4.0-dom0-cur-test labels Jun 29, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment