| Summary: | gnupg, gnupg2, python-gnupg new security issue CVE-2018-12020 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | herman.viaene, jani.valimaa, mageia, smelror, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA6-64-OK MGA5-32-OK | ||
| Source RPM: | gnupg-1.4.22-2.mga7.src.rpm, gnupg2-2.2.7-2.mga7.src.rpm, python-gnupg-0.4.0-1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-06-09 17:50:14 CEST
David Walser
2018-06-09 17:50:23 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO
David Walser
2018-06-09 17:51:37 CEST
CC:
(none) =>
smelror gnupg is also affected. It's also probably about time we remove it from Cauldron. Debian has issued advisories for this on June 8: https://www.debian.org/security/2018/dsa-4224 https://www.debian.org/security/2018/dsa-4223 https://www.debian.org/security/2018/dsa-4222 Summary:
gnupg2 new security issue CVE-2018-12020 =>
gnupg, gnupg2 new security issue CVE-2018-12020 gnupg2-2.2.8-1.mga7 uploaded for Cauldron by Stig-Ørjan. Ubuntu has issued advisories for this on June 11 and today (June 15): https://usn.ubuntu.com/3675-1/ https://usn.ubuntu.com/3675-2/ Fedora has issued an advisory for gnupg today (June 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ECER26OJWTXJCGF7LEUAPMF4ZR6ZORMH/ gnupg 1.4.23 has been released on June 11. Upstream's website said it was to address CVE-2017-7526, but that was fixed in 1.4.22, so they might have meant this issue (someone will have to check). Jani updated to 1.4.23 in Cauldron. CC:
(none) =>
jani.valimaa python-gnupg 0.4.3 has fixes to mitigate the effects of this there too: https://neopg.io/blog/gpg-signature-spoof/ http://openwall.com/lists/oss-security/2018/06/13/10 Summary:
gnupg, gnupg2 new security issue CVE-2018-12020 =>
gnupg, gnupg2, python-gnupg new security issue CVE-2018-12020 Patched packages uploaded for Mageia 5 and Mageia 6 by Jani. Thanks! Advisory: ======================== Updated gnupg, gnupg2, and python-gnupg packages fix security vulnerability: Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the status of the cryptographic operation reported by GnuPG (CVE-2018-12020). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 https://neopg.io/blog/gpg-signature-spoof/ https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html http://openwall.com/lists/oss-security/2018/06/13/10 https://usn.ubuntu.com/3675-1/ ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.19-1.4.mga5 gnupg2-2.0.27-1.2.mga5 python-gnupg-0.3.6-4.1.mga5 python3-gnupg-0.3.6-4.1.mga5 gnupg-1.4.23-1.mga6 gnupg2-2.1.21-3.1.mga6 python-gnupg-0.3.8-2.1.mga6 python3-gnupg-0.3.8-2.1.mga6 from SRPMS: gnupg-1.4.19-1.4.mga5.src.rpm gnupg2-2.0.27-1.2.mga5.src.rpm python-gnupg-0.3.6-4.1.mga5.src.rpm gnupg-1.4.23-1.mga6.src.rpm gnupg2-2.1.21-3.1.mga6.src.rpm python-gnupg-0.3.8-2.1.mga6.src.rpm Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO Installed and tested without issues.
Tests included:
- using kleopatra.
- unlocking kwallet.
- kmail sign and verify email signatures.
- kmail encrypt and decrypt emails.
- Check file signatures using:
find -ipath '*.asc' --exec gpg '{}' ';'
find -ipath '*.sig' --exec gpg '{}' ';'
- Decrypt existing encrypted files.
- Encrypt, decrypt and then compare original to decrypted file.
- Run: gpg --refresh-keys
- Run: gpg --update-trustdb
System: Mageia 6, x86_64, Plasma DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.
$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep gnupg | sort
gnupg-1.4.23-1.mga6
gnupg2-2.1.21-3.1.mga6CC:
(none) =>
mageia MGA5-32 on Dell Latitude D600 Xfce No installation issues. Threading unknown territory, so tried a few from Comment 8 No "kde" stuff on this machine Hmmmm, above find commands throw errors, but one dash less on 'exec' works OK. $ cd / $ find -ipath '*.asc' -exec gpg '{}' ';' gives loads of access denied of course but also pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) <dd9jn@gnu.org> pub 1024D/5B0358A2 1999-03-15 Werner Koch <wk@gnupg.org> uid Werner Koch <wk@g10code.com> uid Werner Koch uid Werner Koch <werner@fsfe.org> sub 2048R/B604F148 2004-03-21 [vervaldatum: 2005-12-31] sub 2048R/C3680A6E 2006-01-01 [vervaldatum: 2007-12-31] and more of those $ find -ipath '*.sig' -exec gpg '{}' ';' returns nothing usefull # gpg --refresh-keys gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created # gpg --update-trustdb gpg: /root/.gnupg/trustdb.gpg: betrouwbaarheidsdatabank (trustdb) created gpg: geen uiterst betrouwbare sleutels gevonden : no thrustworthy keys found Sorry if the translations are not 100% correct Looks good to me as far as I understand this stuff. CC:
(none) =>
herman.viaene openSUSE has issued an advisory for python-gnupg on June 16: https://lists.opensuse.org/opensuse-updates/2018-06/msg00102.html Fedora also updated libgpg-error to 1.31 as part of this update, but I'm not sure whether or not that's strictly necessary: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AVLFADU5FRH4NHJXAFXEQELHAQ4L4BCQ/ Validating. Advisoried. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0292.html Resolution:
(none) =>
FIXED |