| Bug ID | 1219191 |
|---|---|
| Summary | VUL-0: gpg2: Smartcard generation keeps an unprotected backup key on disk |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.5 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | pmonrealgonzalez@suse.com |
| Reporter | Andreas.Stieger@gmx.de |
| QA Contact | qa-bugs@suse.de |
| CC | security-team@suse.de |
| Target Milestone | --- |
| Found By | --- |
| Blocker | --- |
It was discovered that GnuPG before 2.4.4 kept an additional unprotected copy of the encryption subkey on disk. 2.4.2, 2.4.3, 2.2.42 affected if the card generation was done with the command gpg --card-edit. If the smartcard was created without a backup of the encryption key the problem does not show up either. Having a password protected backup key is expected behavior. References: https://gnupg.org/blog/20240125-smartcard-backup-key.html