Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 658150 (CVE-2018-12356)

Summary: <app-admin/pass-1.7.2: Breaking signature verification
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Ian Zimmerman 2018-06-14 22:16:43 UTC 
According to the posting in oss-security [1]:

>>
An issue was discovered in password-store.sh in pass in
Simple Password Store 1.7 through 1.7.1. The signature verification
routine parses the output of GnuPG with an incomplete regular
expression, which allows remote attackers to spoof file signatures on
configuration files and extensions scripts. Modifying the configuration
file allows the attacker to inject additional encryption keys under
their control, thereby disclosing passwords to the attacker. Modifying
the extension scripts allows the attacker arbitrary code execution.
<<

Upstream has released version 1.7.2, which presumably addresses this flaw (although I have not checked).  Please make it available in gentoo.

[1]
http://www.openwall.com/lists/oss-security/2018/06/14/3
Comment 1 Georgy Yakovlev archtester gentoo-dev 2018-06-14 23:01:20 UTC 
Taken care of in 1.7.2 which already hit the tree and is stable keyworded.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=861e6bab31df9b6432b16df58c00440579f6ba4b


yes, it should be fixed in 1.7.2, here is upstream announcement
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html

Thanks for reporting!