Date: Wed, 13 Jun 2018 20:22:23 +0200 From: Marcus Brinkmann <marcus.brinkmann@...r-uni-bochum.de> To: oss-security@...ts.openwall.com Subject: CVE-2018-12020, CVE-2018-12019 in GnuPG, Enigmails, GPGTools, python-gnupg I have published my reports: CVE-2018-12020: The signature verification routine in Enigmail 184.108.40.206, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “--status-fd 2” option, which allows remote attackers to spoof arbitrary signatures via the embedded “filename” parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file. https://neopg.io/blog/gpg-signature-spoof/ CVE-2018-12019: The signature verification routine in Enigmail 220.127.116.11 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. https://neopg.io/blog/enigmail-signature-spoof/ It would be prudent for developers of GnuPG-based applications to check for similar issues in their software. I did a lot of due diligence to check critical infrastructure, but there were several "near misses" that make me fear that there are still some affected products out there.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ