Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 657986 (CVE-2018-12019) - app-crypt/gnupg, x11-plugins/enigmail, dev-python/python-gnupg: injecting status messages (SigSpoof)
Summary: app-crypt/gnupg, x11-plugins/enigmail, dev-python/python-gnupg: injecting sta...
Status: RESOLVED FIXED
Alias: CVE-2018-12019
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-12 15:31 UTC by Hanno Böck
Modified: 2019-03-12 07:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2018-06-12 15:31:12 UTC
I received predisclosure information about a class of vulnerabilities in GnuPG which will be made public tomorrow.

One of the issues is already partially public (bug #657596). The other is specific to Enigmail. Both issues rely on the idea of injecting status messages into gnupg. From a brief look and also confirmed by the founder of the bug it seems gemato is unaffected.

From Gentoo's perspective what we should do:
* Be prepared to bump Enigmail to 2.0.7 and python-gnupg to 0.4.3 which should be available tomorrow evening.
* The stabilization of GnuPG 2.2.8 is currently on hold due to expectation of another fix from upstream. Not sure what the status here is.

Please keep this information private until the bug is publicly disclosed.
Comment 1 Hanno Böck gentoo-dev 2018-06-13 16:40:36 UTC
Enigmail bump is out:
https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/

Please bump.
Comment 2 Hanno Böck gentoo-dev 2018-06-13 17:21:07 UTC
python-gnupg 0.4.3 is out, found no release notes, but this contains the fix according to the bug finder:
https://pypi.org/project/python-gnupg/#history
Comment 3 Hanno Böck gentoo-dev 2018-06-13 17:49:27 UTC
Info is out now:
https://neopg.io/blog/gpg-signature-spoof/
https://neopg.io/blog/enigmail-signature-spoof/

I can't make this bug public, can someone from security do this?
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2018-06-13 19:35:43 UTC
(In reply to Hanno Boeck from comment #3)
> Info is out now:
> https://neopg.io/blog/gpg-signature-spoof/
> https://neopg.io/blog/enigmail-signature-spoof/
> 
> I can't make this bug public, can someone from security do this?

Done
Comment 5 Larry the Git Cow gentoo-dev 2018-06-13 20:05:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e22b2f158eb694e0ecdcab392acf3c73b8ee28ae

commit e22b2f158eb694e0ecdcab392acf3c73b8ee28ae
Author:     Ian Stakenvicius <axs@gentoo.org>
AuthorDate: 2018-06-13 20:01:40 +0000
Commit:     Ian Stakenvicius <axs@gentoo.org>
CommitDate: 2018-06-13 20:04:58 +0000

    x11-plugins/enigmail: bump for CVE-2018-12019
    
    Bug: http://bugs.gentoo.org/657986
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 x11-plugins/enigmail/Manifest              |  1 +
 x11-plugins/enigmail/enigmail-2.0.7.ebuild | 83 ++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)
Comment 6 Oleh 2018-06-16 11:14:02 UTC
(In reply to Hanno Boeck from comment #2)
> python-gnupg 0.4.3 is out, found no release notes, but this contains the fix
> according to the bug finder:
> https://pypi.org/project/python-gnupg/#history

https://groups.google.com/forum/#!topic/python-gnupg/2yAlj_F2S1g
Comment 7 Oleh 2018-06-16 11:14:17 UTC
(In reply to Hanno Boeck from comment #2)
> python-gnupg 0.4.3 is out, found no release notes, but this contains the fix
> according to the bug finder:
> https://pypi.org/project/python-gnupg/#history

https://groups.google.com/forum/#!topic/python-gnupg/2yAlj_F2S1g
Comment 8 Hanno Böck gentoo-dev 2018-06-28 11:02:55 UTC
This seems a bit stuck.

@mozilla: Are we ready to stabilize 2.0.7?

@python: can you bump python-gnupg?
Comment 9 Jory A. Pratt gentoo-dev 2018-06-28 15:50:14 UTC
(In reply to Hanno Boeck from comment #8)
> This seems a bit stuck.
> 
> @mozilla: Are we ready to stabilize 2.0.7?
> 
> @python: can you bump python-gnupg?

enigmail-2.0.7 can go stable
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2019-03-12 07:21:36 UTC
This got lost, cleaning up. NoGLSA will be issued.