We have just published Qubes Security Bulletin (QSB) 084: Split GPG: GnuPG file descriptor confusion and file existence leak. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). More information about QSBs, including a complete historical list, is available here.
---===[ Qubes Security Bulletin 084 ]===--- 2022-08-06 Split GPG: GnuPG file descriptor confusion and file existence leak User action required --------------------- Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.1, in templates and standalones: - qubes-gpg-split 2.0.63 These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community.  Once available, the packages are to be installed via the Qubes Update tool or its command-line equivalents.  Summary -------- Split GPG  is designed to isolate private keys from the application using them in order to protect them from being extracted and to allow the user to retain control over when they are used. This isolation is implemented by forwarding calls from an application in a frontend qube, where `qubes-gpg-client` is executed, to an instance of `gpg` in a backend qube that holds the private keys, all while allowing only specific `gpg` options. This option filtering mechanism is designed to reject options like `--export-secret-keys` that might leak private keys to the frontend qube. However, it has been discovered that certain combinations of options allow the frontend qube to access data in the backend qube in unintended ways. Two separate types of attack were discovered: 1. Interaction via `--command-fd` allows the frontend qube to check for the existence of arbitrary files in the backend qube, including files unrelated to GnuPG. 2. Using the same `--*-fd` option several times allows the frontend qube to redirect GnuPG input and output to the wrong file descriptor. This can be used to: - Corrupt files used by GnuPG. (We have confirmed this only in the case of `trustdb`, but other files cannot be ruled out.) - Issue arbitrary commands to `gpg-agent`, which can be used to perform actions like generating new secret keys and deleting existing keys. - Set various environment variables for the `pinentry` process, thereby providing an indirect avenue of attack against this process. However, our testing did not reveal any way to exploit this vulnerability in order to read `gpg-agent`'s responses, which means that certain actions, such as extracting secret keys, should not be possible. Impact ------- An attacker controlling a Split GPG frontend qube can check for the existence of arbitrary files in a backend qube, corrupt the `trustdb` file in a backend qube, issue arbitrary commands to `gpg-agent` in a backend qube, and issue arbitrary commands to a smart card daemon in a backend qube. While this vulnerability can be exploited in order to generate and delete keys in the backend qube (or on a smart card attached to the backend qube), it is unlikely that it can be used to exfiltrate private keys out of the backend qube (or off of a smart card attached to the backend qube). If this vulnerability were to be chained with a hypothetical vulnerability in `gpg-agent`, `scdaemon`, or `pinentry` (or in one of the libraries they use), then arbitrary code execution could be possible. Credits -------- This issue was discovered by Demi Marie Obenour. References -----------  https://www.qubes-os.org/doc/testing/  https://www.qubes-os.org/doc/how-to-update/  https://www.qubes-os.org/doc/split-gpg/ -- The Qubes Security Team https://www.qubes-os.org/security/