Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Jun 2018 00:20:21 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-12356 Breaking signature verification in
 pass (Simple Password Store)

* Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>, 2018-06-14, 23:46:
>CVE-2018-12356: An issue was discovered in password-store.sh in pass in 
>Simple Password Store 1.7 through 1.7.1. The signature verification 
>routine parses the output of GnuPG with an incomplete regular 
>expression, which allows remote attackers to spoof file signatures on 
>configuration files and extensions scripts
[...]
>https://neopg.io/blog/pass-signature-spoof/

In the blog post you write that the fixed regexp is "^[GNUPG:]", but 
that would be really bad. :) I think you meant "^\[GNUPG:\]".

There's apparently more software that uses unachored "\[GNUPG:\]":
https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ