Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685864 (CVE-2019-6690) - <dev-python/python-gnupg-0.4.5: improper input validation in gnupg.GPG.encrypt() and gnupg.GPG.decrypt() (CVE-2019-6690)
Summary: <dev-python/python-gnupg-0.4.5: improper input validation in gnupg.GPG.encryp...
Status: RESOLVED FIXED
Alias: CVE-2019-6690
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-13 15:47 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-25 20:01 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/python-gnupg-0.4.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 15:47:24 UTC
CVE-2019-6690 (https://nvd.nist.gov/vuln/detail/CVE-2019-6690):
  python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to
  decrypt other ciphertext than intended. To perform the attack, the
  passphrase to gnupg must be controlled by the adversary and the ciphertext
  should be trusted. Related to a "CWE-20: Improper Input Validation" issue
  affecting the affect functionality component.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-05-13 15:49:00 UTC
Please bump to >=0.4.4.
Comment 2 Larry the Git Cow gentoo-dev 2019-12-17 18:39:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4038ef34b9021911fa48641cb3a55edfd2c06bca

commit 4038ef34b9021911fa48641cb3a55edfd2c06bca
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2019-12-17 18:33:41 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2019-12-17 18:37:28 +0000

    dev-python/python-gnupg: bump to version 0.4.5
    
    Dropped patches, since they got merged.
    Also added python3.8 support, as all tests locally passed.
    
    Bug: https://bugs.gentoo.org/685864
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 dev-python/python-gnupg/Manifest                  |  1 +
 dev-python/python-gnupg/python-gnupg-0.4.5.ebuild | 29 +++++++++++++++++++++++
 2 files changed, 30 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-18 14:57:53 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-20 12:51:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Larry the Git Cow gentoo-dev 2019-12-20 19:43:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96b5608ee3d86f4710dbca58e1c702bf18b90eaf

commit 96b5608ee3d86f4710dbca58e1c702bf18b90eaf
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2019-12-20 19:40:39 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2019-12-20 19:42:54 +0000

    dev-python/python-gnupg: drop old versions
    
    Bug: https://bugs.gentoo.org/685864
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 dev-python/python-gnupg/Manifest                   |  3 --
 ...hon-gnupg-0.4.3-skip_network_needing_test.patch | 51 ----------------------
 ...n-gnupg-0.4.3-use_seperate_keys_directory.patch | 50 ---------------------
 dev-python/python-gnupg/python-gnupg-0.4.0.ebuild  | 27 ------------
 dev-python/python-gnupg/python-gnupg-0.4.1.ebuild  | 27 ------------
 dev-python/python-gnupg/python-gnupg-0.4.3.ebuild  | 31 -------------
 6 files changed, 189 deletions(-)
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-03-25 20:01:12 UTC
GLSA Vote: No

Repository is clean, all done!