Date: Fri, 15 Jun 2018 16:43:51 +0200 From: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-12356 Breaking signature verification in pass (Simple Password Store) On 06/15/2018 12:20 AM, Jakub Wilk wrote: > * Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de>, 2018-06-14, > 23:46: >> CVE-2018-12356: An issue was discovered in password-store.sh in pass >> in Simple Password Store 1.7 through 1.7.1. The signature verification >> routine parses the output of GnuPG with an incomplete regular >> expression, which allows remote attackers to spoof file signatures on >> configuration files and extensions scripts > [...] >> https://neopg.io/blog/pass-signature-spoof/ > > In the blog post you write that the fixed regexp is "^[GNUPG:]", but > that would be really bad. :) I think you meant "^\[GNUPG:\]". Thanks, fixed. > There's apparently more software that uses unachored "\[GNUPG:\]": > https://codesearch.debian.net/search?q=%5B%5E%5E%5D%5C%5C%5C%5BGNUPG%3A%5C%5C%5C%5D Yes. I did two weeks of due diligence on the important package managers, Git, and anything I could think of that is critical. But I am not saying what I looked at, because there might be something I missed, and I want everybody to join in and have a fresh look. It is too much for a single person. I didn't know about Debian code search, so thanks for the tip. You reporting these? If not, I can do it.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.