Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658150 (CVE-2018-12356) - <app-admin/pass-1.7.2: Breaking signature verification
Summary: <app-admin/pass-1.7.2: Breaking signature verification
Status: RESOLVED FIXED
Alias: CVE-2018-12356
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-14 22:16 UTC by Ian Zimmerman
Modified: 2018-06-14 23:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2018-06-14 22:16:43 UTC
According to the posting in oss-security [1]:

>>
An issue was discovered in password-store.sh in pass in
Simple Password Store 1.7 through 1.7.1. The signature verification
routine parses the output of GnuPG with an incomplete regular
expression, which allows remote attackers to spoof file signatures on
configuration files and extensions scripts. Modifying the configuration
file allows the attacker to inject additional encryption keys under
their control, thereby disclosing passwords to the attacker. Modifying
the extension scripts allows the attacker arbitrary code execution.
<<

Upstream has released version 1.7.2, which presumably addresses this flaw (although I have not checked).  Please make it available in gentoo.

[1]
http://www.openwall.com/lists/oss-security/2018/06/14/3
Comment 1 Georgy Yakovlev archtester gentoo-dev 2018-06-14 23:01:20 UTC
Taken care of in 1.7.2 which already hit the tree and is stable keyworded.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=861e6bab31df9b6432b16df58c00440579f6ba4b


yes, it should be fixed in 1.7.2, here is upstream announcement
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html

Thanks for reporting!