Date: Sun, 10 Jun 2018 10:58:38 -0400 From: Stiepan <stie@....swiss> To: marcus.brinkmann@...r-uni-bochum.de, oss-security@...ts.openwall.com Cc: ProtonMail Security Team <security@...tonmail.ch> Subject: Re : Re: CVE-2018-12020 in GnuPG Hello to both, This responsibility discussion is all well and fine, but now that this is half-public, may we know for sure whether we are affected : 1. as debian(-like) package consumers 2. as users of GPG for other purposes, such as webmail (have CC-ed protonmail to that regard) and since when, so as to do proper rollbacks or other applicable mitigations (w.r.t packages) ? By the way, this is why I think disclosure of such issues and mitigations should be a matter discussed at an official international forum such as the ITU is, before everything gets out. Enjoy your Sunday, Stiepan A. Kovac President itk AVtobvS SARL Envoyé depuis ProtonMail mobile -------- Message d'origine -------- On 9 juin 2018 à 2:02, Marcus Brinkmann a écrit : > Hi, > > On 06/08/2018 09:36 PM, Yves-Alexis Perez wrote: >> Hi everybody, >> >> just a heads up, since we weren't notified in advance and it's Friday evening >> (in Europe at least). > > Yes. I tried to disclose this responsibly with Werner Koch (and in > coordination with other affected projects), but within two hours he did > a unilateral full disclosure without getting back to me. > > :( > >> There's a nasty vulnerability in GnuPG which can be apparently used to bypass >> signature verification when a program calls gpg to verify a signature and >> parses the output: >> >> https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html >> https://dev.gnupg.org/T4012 >> >> It might be worth checking whether package managers signature verification is >> affected. >> >> Apt doesn't seems affected at first sight (it uses gpgv) but we'll double >> check. > > I am still handling this under responsible disclosure. This is why I > have not spoken out yet, and the CVE is not public. But what you say is > important and correct. > > Thanks, > Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ