Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Jun 2018 21:36:09 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-12020 in GnuPG

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi everybody,

just a heads up, since we weren't notified in advance and it's Friday evening
(in Europe at least).

There's a nasty vulnerability in GnuPG which can be apparently used to bypass
signature verification when a program calls gpg to verify a signature and
parses the output:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
https://dev.gnupg.org/T4012

It might be worth checking whether package managers signature verification is
affected.

Apt doesn't seems affected at first sight (it uses gpgv) but we'll double
check.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlsa2qkACgkQ3rYcyPpX
RFv/vAf+MVxGn1N+UT1W6HLMnR2BJLcRI0emIAdYOW+HNoXGgAnRckQa2vbLv645
bKdrpjGR8vsMMiCNmk2vUUOuV5lhfX4XN7ik9wyLpJhJWrxTZ+OdfIPwWE7dOj3x
bsw+8gYi2gK6v274nUtFXbU2XcTCkgAlqcIfeJlhh8MLDqJ7Fka8YJO02EsW+pRa
Bu2fblFm5P4TcTMOBjoX4zRHob4S2po57vCIgbA0GKLAzzjB8vWzPbo73waozvQR
OAL69guzAFKIdVNZ4x4WOcgNoZt6/sx1DWs1+oYfhWC5TNlrK5HcfUmmZ5bq1ov3
S8SJhFB1Q7c5xyCcmza8mQSwkBrpfA==
=AI6O
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.