Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Jun 2018 00:20:21 +0200
From: Jakub Wilk <>
Subject: Re: CVE-2018-12356 Breaking signature verification in
 pass (Simple Password Store)

* Marcus Brinkmann <>, 2018-06-14, 23:46:
>CVE-2018-12356: An issue was discovered in in pass in 
>Simple Password Store 1.7 through 1.7.1. The signature verification 
>routine parses the output of GnuPG with an incomplete regular 
>expression, which allows remote attackers to spoof file signatures on 
>configuration files and extensions scripts

In the blog post you write that the fixed regexp is "^[GNUPG:]", but 
that would be really bad. :) I think you meant "^\[GNUPG:\]".

There's apparently more software that uses unachored "\[GNUPG:\]":

Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ