Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Jun 2018 16:43:51 +0200
From: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-12356 Breaking signature verification in
 pass (Simple Password Store)

On 06/15/2018 12:20 AM, Jakub Wilk wrote:
> * Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>, 2018-06-14,
> 23:46:
>> CVE-2018-12356: An issue was discovered in password-store.sh in pass
>> in Simple Password Store 1.7 through 1.7.1. The signature verification
>> routine parses the output of GnuPG with an incomplete regular
>> expression, which allows remote attackers to spoof file signatures on
>> configuration files and extensions scripts
> [...]
>> https://neopg.io/blog/pass-signature-spoof/
> 
> In the blog post you write that the fixed regexp is "^[GNUPG:]", but
> that would be really bad. :) I think you meant "^\[GNUPG:\]".

Thanks, fixed.

> There's apparently more software that uses unachored "\[GNUPG:\]":
> https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D

Yes. I did two weeks of due diligence on the important package managers,
Git, and anything I could think of that is critical. But I am not saying
what I looked at, because there might be something I missed, and I want
everybody to join in and have a fresh look. It is too much for a single
person.

I didn't know about Debian code search, so thanks for the tip.

You reporting these? If not, I can do it.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ