Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 9 Jun 2018 02:02:43 +0200
From: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-12020 in GnuPG

Hi,

On 06/08/2018 09:36 PM, Yves-Alexis Perez wrote:
> Hi everybody,
> 
> just a heads up, since we weren't notified in advance and it's Friday evening
> (in Europe at least).

Yes.  I tried to disclose this responsibly with Werner Koch (and in
coordination with other affected projects), but within two hours he did
a unilateral full disclosure without getting back to me.

:(

> There's a nasty vulnerability in GnuPG which can be apparently used to bypass
> signature verification when a program calls gpg to verify a signature and
> parses the output:
> 
> https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
> https://dev.gnupg.org/T4012
> 
> It might be worth checking whether package managers signature verification is
> affected.
> 
> Apt doesn't seems affected at first sight (it uses gpgv) but we'll double
> check.

I am still handling this under responsible disclosure. This is why I
have not spoken out yet, and the CVE is not public. But what you say is
important and correct.

Thanks,
Marcus



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ