Date: Fri, 15 Jun 2018 00:20:21 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) * Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>, 2018-06-14, 23:46: >CVE-2018-12356: An issue was discovered in password-store.sh in pass in >Simple Password Store 1.7 through 1.7.1. The signature verification >routine parses the output of GnuPG with an incomplete regular >expression, which allows remote attackers to spoof file signatures on >configuration files and extensions scripts [...] >https://neopg.io/blog/pass-signature-spoof/ In the blog post you write that the fixed regexp is "^[GNUPG:]", but that would be really bad. :) I think you meant "^\[GNUPG:\]". There's apparently more software that uses unachored "\[GNUPG:\]": https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ