I received predisclosure information about a class of vulnerabilities in GnuPG which will be made public tomorrow.
One of the issues is already partially public (bug #657596). The other is specific to Enigmail. Both issues rely on the idea of injecting status messages into gnupg. From a brief look and also confirmed by the founder of the bug it seems gemato is unaffected.
From Gentoo's perspective what we should do:
* Be prepared to bump Enigmail to 2.0.7 and python-gnupg to 0.4.3 which should be available tomorrow evening.
* The stabilization of GnuPG 2.2.8 is currently on hold due to expectation of another fix from upstream. Not sure what the status here is.
Please keep this information private until the bug is publicly disclosed.
Enigmail bump is out:
python-gnupg 0.4.3 is out, found no release notes, but this contains the fix according to the bug finder:
Info is out now:
I can't make this bug public, can someone from security do this?
(In reply to Hanno Boeck from comment #3)
> Info is out now:
> I can't make this bug public, can someone from security do this?
The bug has been referenced in the following commit(s):
Author: Ian Stakenvicius <firstname.lastname@example.org>
AuthorDate: 2018-06-13 20:01:40 +0000
Commit: Ian Stakenvicius <email@example.com>
CommitDate: 2018-06-13 20:04:58 +0000
x11-plugins/enigmail: bump for CVE-2018-12019
Package-Manager: Portage-2.3.24, Repoman-2.3.6
x11-plugins/enigmail/Manifest | 1 +
x11-plugins/enigmail/enigmail-2.0.7.ebuild | 83 ++++++++++++++++++++++++++++++
2 files changed, 84 insertions(+)
(In reply to Hanno Boeck from comment #2)
> python-gnupg 0.4.3 is out, found no release notes, but this contains the fix
> according to the bug finder:
This seems a bit stuck.
@mozilla: Are we ready to stabilize 2.0.7?
@python: can you bump python-gnupg?
(In reply to Hanno Boeck from comment #8)
> This seems a bit stuck.
> @mozilla: Are we ready to stabilize 2.0.7?
> @python: can you bump python-gnupg?
enigmail-2.0.7 can go stable
This got lost, cleaning up. NoGLSA will be issued.