Roundup Security Issues

This page documents CVE’s fixed starting with version 2.4.0, how to report security issues, and verify the signatures for Roundup source release tarballs.

CVE Announcements

Reporting Security Issues

Security issues with Roundup should be reported by email to:

rouilj@users.sourceforge.net (John Rouillard)

rsc@runtux.com (Ralf Schlatterbeck)

If these fail, you can find rouilj on irc in channel #roundup at irc.oftc.net (see Contact for more directions and web interface). Methods listed at Contact are all public, so they should be used to contact somebody with the Roundup project for establishing a proper method of reporting the security issue.

Verify Source Tarball

If you download the source tarball using python3-mpipdownloadroundup or from https://pypi.org/project/roundup/#files you can verify the file using gpg.

This is the information on the public PGP/GPG key used to sign Roundup distributions. It is used to sign the 1.6.0, 2.2.0, and newer releases. (Note that the @ sign in email addresses have been replaced with the word “at” to reduce spam directed at the mailing list.):

Keyinfo:RoundupTeam(signingkeyforroundupreleases)<roundup-develatlists.sourceforge.net>Expires:2028-07-17Keyfingerprint=411E354B5D1AF26125D621221F2DD0CB756A76D8

Releases 1.6.1, 2.0.0 and 2.1.0 were accidentally signed with this key [1]:

Keyinfo:JohnRouillard(RoundupReleaseKey)<rouilj+roundupatieee.org>Expires:2023-07-09Keyfingerprint=A1E6364E9429E9D82B3B2373DB05ADC423305876

Importing the Public Key

This only has to be added to your keyring once. You can import a key from pgp.mit.edu using:

gpg--keyserverpgp.mit.edu--receive-keys411E354B5D1AF26125D621221F2DD0CB756A76D8

where the fingerprint (without spaces) is used to identify which key to receive. You can also extract and import the file tools/roundup.public.pgp.key from the download source tarball using:

tar-xzvfroundup-2.2.0.tar.gz-O \ roundup-2.2.0/tools/roundup.public.pgp.key>pub.keygpg--importpub.key

Once you have loaded the public key, you need a detached signature for your release.

Download Detached Signature and Verify

This needs to be done once for each release you wish to verify.

The Python Package Index (PyPI) used to support uploading gpg detached signatures. However that is no longer supported and downloading existing signatures may not work in the future.

As a result, the signatures for all Roundup final releases starting with 1.6.0 have been moved and are linked below:

To use the signature, download the correct versioned link and verify it with (note 1.5.7 is a dummy version, use the correct version number):

gpg--verifyroundup-1.5.7.tar.gz.ascroundup-1.5.7.tar.gz

You should see:

gpg: Signature made Wed 13 Jul 2022 12:24:14 AM EDT gpg: using RSA key 411E354B5D1AF26125D621221F2DD0CB756A76D8 gpg: Good signature from "Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 411E 354B 5D1A F261 25D6 2122 1F2D D0CB 756A 76D8

which verifies the tarball integrity. The WARNING is expected and the date corresponds to the newest renewal of the Roundup key. As long as you see the output starting with “Good signature from” followed by the Key Info for your key, everything is OK.

If something is wrong you will see:

gpg:SignaturemadeWed13Jul202212:24:14AMEDTgpg:usingRSAkey411E354B5D1AF26125D621221F2DD0CB756A76D8gpg:BADsignaturefrom"Roundup Team (signing key for roundup releases) <roundup-devel at lists.sourceforge.net>"

do not use the tarball if the signature is BAD. Email the mailing list: roundup-devel at lists.sourceforge.net if you have this happen to you.