| Summary: | python-gnupg new security issue CVE-2019-6690 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, jani.valimaa, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | python-gnupg-0.4.3-3.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-02-10 22:52:51 CET
David Walser
2019-02-10 22:53:01 CET
Whiteboard:
(none) =>
MGA6TOO
David Walser
2019-02-11 02:17:02 CET
Status comment:
(none) =>
Fixed upstream in 0.4.4 Pushed 0.4.4 to cauldron and mga6 core/updates_testing. Advisory: ======================== Updated python-gnupg packages fix security vulnerability: When symmetric encryption is used, data can be injected through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods. The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines. By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted (CVE-2019-6690). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6690 https://lists.opensuse.org/opensuse-updates/2019-02/msg00034.html ======================== Updated packages in core/updates_testing: ======================== python-gnupg-0.4.4-1.mga6 python3-gnupg-0.4.4-1.mga6 from python-gnupg-0.4.4-1.mga6.src.rpm Status comment:
Fixed upstream in 0.4.4 =>
(none) MGA6-32 MATE on IBM Thinkpad R50e No installation issues # urpmq --whatrequires python3-gnupg mageiasync python3-gnupg So I installed mageiasync and pointed it to my Downloads folder which has never been used for mageiasync or gpg before. $ strace -o pyth3gpg.txt mageiasync Signature file /home/tester6/Downloads/Mageia-7-beta2-Live-Xfce-i586/Mageia-7-beta2-Live-Xfce-i586.iso.md5.gpg not found And in the trace there is no ref to gnupg (of course???) The download completed successfully. So that leaves me with a clean install. CC:
(none) =>
herman.viaene Re comment #3: Yes the gpg signature files are not provided any more but the tools are configured to search for them by the look of it. Using --whatrequires-recursive turns up isodumper as well and that loads libgpg-error.so.0. As you found, python3-gnupg will not be called into play if the signature file is not found. So you should allot the 32-bit OK on the basis of your clean install. CC:
(none) =>
tarazed25
Herman Viaene
2019-03-04 10:22:38 CET
Whiteboard:
(none) =>
MGA6-32-OK The gpg signatures are produced, but not until the iso images are released to the public. mageiasync is now verifying the sigs. Note you must have the release key on your keyring first, which you can get by running ... $ gpg --keyserver hkp://keys.gnupg.net --recv-keys 0xEDCA7A90 Advisory committed to svn. Validating the update. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0105.html Resolution:
(none) =>
FIXED |