Date: Fri, 15 Jun 2018 16:43:51 +0200 From: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) On 06/15/2018 12:20 AM, Jakub Wilk wrote: > * Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>, 2018-06-14, > 23:46: >> CVE-2018-12356: An issue was discovered in password-store.sh in pass >> in Simple Password Store 1.7 through 1.7.1. The signature verification >> routine parses the output of GnuPG with an incomplete regular >> expression, which allows remote attackers to spoof file signatures on >> configuration files and extensions scripts > [...] >> https://neopg.io/blog/pass-signature-spoof/ > > In the blog post you write that the fixed regexp is "^[GNUPG:]", but > that would be really bad. :) I think you meant "^\[GNUPG:\]". Thanks, fixed. > There's apparently more software that uses unachored "\[GNUPG:\]": > https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D Yes. I did two weeks of due diligence on the important package managers, Git, and anything I could think of that is critical. But I am not saying what I looked at, because there might be something I missed, and I want everybody to join in and have a fresh look. It is too much for a single person. I didn't know about Debian code search, so thanks for the tip. You reporting these? If not, I can do it.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ