I received predisclosure information about a class of vulnerabilities in GnuPG which will be made public tomorrow. One of the issues is already partially public (bug #657596). The other is specific to Enigmail. Both issues rely on the idea of injecting status messages into gnupg. From a brief look and also confirmed by the founder of the bug it seems gemato is unaffected. From Gentoo's perspective what we should do: * Be prepared to bump Enigmail to 2.0.7 and python-gnupg to 0.4.3 which should be available tomorrow evening. * The stabilization of GnuPG 2.2.8 is currently on hold due to expectation of another fix from upstream. Not sure what the status here is. Please keep this information private until the bug is publicly disclosed.
Enigmail bump is out: https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/ Please bump.
python-gnupg 0.4.3 is out, found no release notes, but this contains the fix according to the bug finder: https://pypi.org/project/python-gnupg/#history
Info is out now: https://neopg.io/blog/gpg-signature-spoof/ https://neopg.io/blog/enigmail-signature-spoof/ I can't make this bug public, can someone from security do this?
(In reply to Hanno Boeck from comment #3) > Info is out now: > https://neopg.io/blog/gpg-signature-spoof/ > https://neopg.io/blog/enigmail-signature-spoof/ > > I can't make this bug public, can someone from security do this? Done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e22b2f158eb694e0ecdcab392acf3c73b8ee28ae commit e22b2f158eb694e0ecdcab392acf3c73b8ee28ae Author: Ian Stakenvicius <axs@gentoo.org> AuthorDate: 2018-06-13 20:01:40 +0000 Commit: Ian Stakenvicius <axs@gentoo.org> CommitDate: 2018-06-13 20:04:58 +0000 x11-plugins/enigmail: bump for CVE-2018-12019 Bug: http://bugs.gentoo.org/657986 Package-Manager: Portage-2.3.24, Repoman-2.3.6 x11-plugins/enigmail/Manifest | 1 + x11-plugins/enigmail/enigmail-2.0.7.ebuild | 83 ++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+)
(In reply to Hanno Boeck from comment #2) > python-gnupg 0.4.3 is out, found no release notes, but this contains the fix > according to the bug finder: > https://pypi.org/project/python-gnupg/#history https://groups.google.com/forum/#!topic/python-gnupg/2yAlj_F2S1g
This seems a bit stuck. @mozilla: Are we ready to stabilize 2.0.7? @python: can you bump python-gnupg?
(In reply to Hanno Boeck from comment #8) > This seems a bit stuck. > > @mozilla: Are we ready to stabilize 2.0.7? > > @python: can you bump python-gnupg? enigmail-2.0.7 can go stable
This got lost, cleaning up. NoGLSA will be issued.
