Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store)

[Marcus Brinkmann <marcus.brinkmann () ruhr-uni-bochum de>]

On 06/15/2018 12:20 AM, Jakub Wilk wrote:
> * Marcus Brinkmann <marcus.brinkmann () ruhr-uni-bochum de>, 2018-06-14,
> 23:46:
> > CVE-2018-12356: An issue was discovered in password-store.sh in pass
> > in Simple Password Store 1.7 through 1.7.1. The signature verification
> > routine parses the output of GnuPG with an incomplete regular
> > expression, which allows remote attackers to spoof file signatures on
> > configuration files and extensions scripts
> [...]
> > https://neopg.io/blog/pass-signature-spoof/
>
> In the blog post you write that the fixed regexp is "^[GNUPG:]", but
> that would be really bad. :) I think you meant "^\[GNUPG:\]".

Thanks, fixed.

> There's apparently more software that uses unachored "\[GNUPG:\]":
> https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D

Yes. I did two weeks of due diligence on the important package managers,
Git, and anything I could think of that is critical. But I am not saying
what I looked at, because there might be something I missed, and I want
everybody to join in and have a fresh look. It is too much for a single
person.

I didn't know about Debian code search, so thanks for the tip.

You reporting these? If not, I can do it.