Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Mageia 6 Moderate Advisory: python-gnupg Data Injection Risk

mageia
Calendar Grey March 7, 2019
Dist Mageia Esm H88
MGASA-2019-0105 - Updated python-gnupg packages fix security vulnerability Publication date: 07 Mar
When symmetric encryption is used, data can be injected through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods

Summary

When symmetric encryption is used, data can be injected through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods. The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines. By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted (CVE-2019-6690).

References

- https://bugs.mageia.org/show_bug.cgi?id=24341

- - https://www.cve.org/CVERecord?id=CVE-2019-6690

Resolution

SRPMS

- 6/core/python-gnupg-0.4.4-1.mga6

Severity
important
Lowest
Low
Medium
High
Critical

Publication date: 07 Mar 2019
URL: https://advisories.mageia.org/MGASA-2019-0105.html
Type: security
CVE: CVE-2019-6690

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.