oss-sec mailing list archives
Re: CVE-2018-12020 in GnuPG
From: Marcus Brinkmann <marcus.brinkmann () ruhr-uni-bochum de>
Date: Sat, 9 Jun 2018 02:02:43 +0200
Hi, On 06/08/2018 09:36 PM, Yves-Alexis Perez wrote:
Hi everybody, just a heads up, since we weren't notified in advance and it's Friday evening (in Europe at least).
Yes. I tried to disclose this responsibly with Werner Koch (and in coordination with other affected projects), but within two hours he did a unilateral full disclosure without getting back to me. :(
There's a nasty vulnerability in GnuPG which can be apparently used to bypass signature verification when a program calls gpg to verify a signature and parses the output: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html https://dev.gnupg.org/T4012 It might be worth checking whether package managers signature verification is affected. Apt doesn't seems affected at first sight (it uses gpgv) but we'll double check.
I am still handling this under responsible disclosure. This is why I have not spoken out yet, and the CVE is not public. But what you say is important and correct. Thanks, Marcus
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2018-12020 in GnuPG Yves-Alexis Perez (Jun 08)
- Re: CVE-2018-12020 in GnuPG Marcus Brinkmann (Jun 09)
- Re : Re: [oss-security] CVE-2018-12020 in GnuPG Stiepan (Jun 10)
- Re: Re : Re: [oss-security] CVE-2018-12020 in GnuPG Yves-Alexis Perez (Jun 10)
- Re : Re: [oss-security] Re : Re: [oss-security] CVE-2018-12020 in GnuPG Stiepan (Jun 13)
- Re: Re : Re: [oss-security] Re : Re: [oss-security] CVE-2018-12020 in GnuPG Stephen Farrell (Jun 13)
- Re : Re: [oss-security] CVE-2018-12020 in GnuPG Stiepan (Jun 10)
- Re: CVE-2018-12020 in GnuPG Marcus Brinkmann (Jun 09)