Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 9 Jun 2018 02:02:43 +0200
From: Marcus Brinkmann <>
Subject: Re: CVE-2018-12020 in GnuPG


On 06/08/2018 09:36 PM, Yves-Alexis Perez wrote:
> Hi everybody,
> just a heads up, since we weren't notified in advance and it's Friday evening
> (in Europe at least).

Yes.  I tried to disclose this responsibly with Werner Koch (and in
coordination with other affected projects), but within two hours he did
a unilateral full disclosure without getting back to me.


> There's a nasty vulnerability in GnuPG which can be apparently used to bypass
> signature verification when a program calls gpg to verify a signature and
> parses the output:
> It might be worth checking whether package managers signature verification is
> affected.
> Apt doesn't seems affected at first sight (it uses gpgv) but we'll double
> check.

I am still handling this under responsible disclosure. This is why I
have not spoken out yet, and the CVE is not public. But what you say is
important and correct.


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ