Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 10 Jun 2018 10:58:38 -0400
From: Stiepan <stie@....swiss>
To: marcus.brinkmann@...r-uni-bochum.de, oss-security@...ts.openwall.com
Cc: ProtonMail Security Team <security@...tonmail.ch>
Subject: Re : Re: CVE-2018-12020 in GnuPG

Hello to both,

This responsibility discussion is all well and fine, but now that this is half-public, may we know for sure whether we are affected :
1. as debian(-like) package consumers
2. as users of GPG for other purposes, such as webmail (have CC-ed protonmail to that regard)
and since when, so as to do proper rollbacks or other applicable mitigations (w.r.t packages) ?
By the way, this is why I think disclosure of such issues and mitigations should be a matter discussed at an official international forum such as the ITU is, before everything gets out.

Enjoy your Sunday,
Stiepan A. Kovac
President
itk AVtobvS SARL

Envoyé depuis ProtonMail mobile

-------- Message d'origine --------
On 9 juin 2018 à 2:02, Marcus Brinkmann a écrit :

> Hi,
>
> On 06/08/2018 09:36 PM, Yves-Alexis Perez wrote:
>> Hi everybody,
>>
>> just a heads up, since we weren't notified in advance and it's Friday evening
>> (in Europe at least).
>
> Yes. I tried to disclose this responsibly with Werner Koch (and in
> coordination with other affected projects), but within two hours he did
> a unilateral full disclosure without getting back to me.
>
> :(
>
>> There's a nasty vulnerability in GnuPG which can be apparently used to bypass
>> signature verification when a program calls gpg to verify a signature and
>> parses the output:
>>
>> https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
>> https://dev.gnupg.org/T4012
>>
>> It might be worth checking whether package managers signature verification is
>> affected.
>>
>> Apt doesn't seems affected at first sight (it uses gpgv) but we'll double
>> check.
>
> I am still handling this under responsible disclosure. This is why I
> have not spoken out yet, and the CVE is not public. But what you say is
> important and correct.
>
> Thanks,
> Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ