Date: Sat, 9 Jun 2018 02:02:43 +0200 From: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-12020 in GnuPG Hi, On 06/08/2018 09:36 PM, Yves-Alexis Perez wrote: > Hi everybody, > > just a heads up, since we weren't notified in advance and it's Friday evening > (in Europe at least). Yes. I tried to disclose this responsibly with Werner Koch (and in coordination with other affected projects), but within two hours he did a unilateral full disclosure without getting back to me. :( > There's a nasty vulnerability in GnuPG which can be apparently used to bypass > signature verification when a program calls gpg to verify a signature and > parses the output: > > https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html > https://dev.gnupg.org/T4012 > > It might be worth checking whether package managers signature verification is > affected. > > Apt doesn't seems affected at first sight (it uses gpgv) but we'll double > check. I am still handling this under responsible disclosure. This is why I have not spoken out yet, and the CVE is not public. But what you say is important and correct. Thanks, Marcus Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ