Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Jun 2018 16:43:51 +0200
From: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-12356 Breaking signature verification in
 pass (Simple Password Store)

On 06/15/2018 12:20 AM, Jakub Wilk wrote:
> * Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>, 2018-06-14,
> 23:46:
>> CVE-2018-12356: An issue was discovered in password-store.sh in pass
>> in Simple Password Store 1.7 through 1.7.1. The signature verification
>> routine parses the output of GnuPG with an incomplete regular
>> expression, which allows remote attackers to spoof file signatures on
>> configuration files and extensions scripts
> [...]
>> https://neopg.io/blog/pass-signature-spoof/
> 
> In the blog post you write that the fixed regexp is "^[GNUPG:]", but
> that would be really bad. :) I think you meant "^\[GNUPG:\]".

Thanks, fixed.

> There's apparently more software that uses unachored "\[GNUPG:\]":
> https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D

Yes. I did two weeks of due diligence on the important package managers,
Git, and anything I could think of that is critical. But I am not saying
what I looked at, because there might be something I missed, and I want
everybody to join in and have a fresh look. It is too much for a single
person.

I didn't know about Debian code search, so thanks for the tip.

You reporting these? If not, I can do it.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.