According to the posting in oss-security [1]: >> An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution. << Upstream has released version 1.7.2, which presumably addresses this flaw (although I have not checked). Please make it available in gentoo. [1] http://www.openwall.com/lists/oss-security/2018/06/14/3
Taken care of in 1.7.2 which already hit the tree and is stable keyworded. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=861e6bab31df9b6432b16df58c00440579f6ba4b yes, it should be fixed in 1.7.2, here is upstream announcement https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html Thanks for reporting!