oss-sec mailing list archives
Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store)
From: Marcus Brinkmann <marcus.brinkmann () ruhr-uni-bochum de>
Date: Fri, 15 Jun 2018 16:43:51 +0200
On 06/15/2018 12:20 AM, Jakub Wilk wrote:
* Marcus Brinkmann <marcus.brinkmann () ruhr-uni-bochum de>, 2018-06-14, 23:46:CVE-2018-12356: An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts[...]https://neopg.io/blog/pass-signature-spoof/In the blog post you write that the fixed regexp is "^[GNUPG:]", but that would be really bad. :) I think you meant "^\[GNUPG:\]".
Thanks, fixed.
There's apparently more software that uses unachored "\[GNUPG:\]": https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D
Yes. I did two weeks of due diligence on the important package managers, Git, and anything I could think of that is critical. But I am not saying what I looked at, because there might be something I missed, and I want everybody to join in and have a fresh look. It is too much for a single person. I didn't know about Debian code search, so thanks for the tip. You reporting these? If not, I can do it.
Current thread:
- CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 14)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jakub Wilk (Jun 14)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 15)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jakub Wilk (Jun 15)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 16)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 15)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jakub Wilk (Jun 14)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jason A. Donenfeld (Jun 14)