oss-sec mailing list archives
Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store)
From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 15 Jun 2018 00:20:21 +0200
* Marcus Brinkmann <marcus.brinkmann () ruhr-uni-bochum de>, 2018-06-14, 23:46:
CVE-2018-12356: An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts
[...]
https://neopg.io/blog/pass-signature-spoof/
In the blog post you write that the fixed regexp is "^[GNUPG:]", but that would be really bad. :) I think you meant "^\[GNUPG:\]".
There's apparently more software that uses unachored "\[GNUPG:\]": https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D -- Jakub Wilk
Current thread:
- CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 14)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jakub Wilk (Jun 14)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 15)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jakub Wilk (Jun 15)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 16)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Marcus Brinkmann (Jun 15)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jakub Wilk (Jun 14)
- Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) Jason A. Donenfeld (Jun 14)