Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658150 (CVE-2018-12356) - <app-admin/pass-1.7.2: Breaking signature verification
Summary: <app-admin/pass-1.7.2: Breaking signature verification
Alias: CVE-2018-12356
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on:
Reported: 2018-06-14 22:16 UTC by Ian Zimmerman
Modified: 2018-06-14 23:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2018-06-14 22:16:43 UTC
According to the posting in oss-security [1]:

An issue was discovered in in pass in
Simple Password Store 1.7 through 1.7.1. The signature verification
routine parses the output of GnuPG with an incomplete regular
expression, which allows remote attackers to spoof file signatures on
configuration files and extensions scripts. Modifying the configuration
file allows the attacker to inject additional encryption keys under
their control, thereby disclosing passwords to the attacker. Modifying
the extension scripts allows the attacker arbitrary code execution.

Upstream has released version 1.7.2, which presumably addresses this flaw (although I have not checked).  Please make it available in gentoo.

Comment 1 Georgy Yakovlev archtester gentoo-dev 2018-06-14 23:01:20 UTC
Taken care of in 1.7.2 which already hit the tree and is stable keyworded.

yes, it should be fixed in 1.7.2, here is upstream announcement

Thanks for reporting!