oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2018-12020 in GnuPG

From: Yves-Alexis Perez <corsac () debian org>
Date: Fri, 08 Jun 2018 21:36:09 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi everybody,

just a heads up, since we weren't notified in advance and it's Friday evening
(in Europe at least).

There's a nasty vulnerability in GnuPG which can be apparently used to bypass
signature verification when a program calls gpg to verify a signature and
parses the output:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
https://dev.gnupg.org/T4012

It might be worth checking whether package managers signature verification is
affected.

Apt doesn't seems affected at first sight (it uses gpgv) but we'll double
check.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlsa2qkACgkQ3rYcyPpX
RFv/vAf+MVxGn1N+UT1W6HLMnR2BJLcRI0emIAdYOW+HNoXGgAnRckQa2vbLv645
bKdrpjGR8vsMMiCNmk2vUUOuV5lhfX4XN7ik9wyLpJhJWrxTZ+OdfIPwWE7dOj3x
bsw+8gYi2gK6v274nUtFXbU2XcTCkgAlqcIfeJlhh8MLDqJ7Fka8YJO02EsW+pRa
Bu2fblFm5P4TcTMOBjoX4zRHob4S2po57vCIgbA0GKLAzzjB8vWzPbo73waozvQR
OAL69guzAFKIdVNZ4x4WOcgNoZt6/sx1DWs1+oYfhWC5TNlrK5HcfUmmZ5bq1ov3
S8SJhFB1Q7c5xyCcmza8mQSwkBrpfA==
=AI6O
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: