Bug 24341 - python-gnupg new security issue CVE-2019-6690
Summary: python-gnupg new security issue CVE-2019-6690
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-10 22:52 CET by David Walser
Modified: 2019-02-22 13:41 CET (History)
3 users (show)

See Also:
Source RPM: python-gnupg-0.4.3-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-02-10 22:52:51 CET
openSUSE has issued an advisory on February 7:
https://lists.opensuse.org/opensuse-updates/2019-02/msg00034.html

The issue is fixed upstream in 0.4.4.

Mageia 6 is also affected.
David Walser 2019-02-10 22:53:01 CET

CC: (none) => jani.valimaa
Whiteboard: (none) => MGA6TOO

David Walser 2019-02-11 02:17:02 CET

Status comment: (none) => Fixed upstream in 0.4.4

Comment 1 Jani Välimaa 2019-02-11 17:24:49 CET
Pushed 0.4.4 to cauldron and mga6 core/updates_testing.
Comment 2 David Walser 2019-02-11 20:02:21 CET
Advisory:
========================

Updated python-gnupg packages fix security vulnerability:

When symmetric encryption is used, data can be injected through the passphrase
property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods. The
supplied passphrase is not validated for newlines, and the library passes
--passphrase-fd=0 to the gpg executable, which expects the passphrase on the
first line of stdin, and the ciphertext to be decrypted or plaintext to be
encrypted on subsequent lines. By supplying a passphrase containing a newline
an attacker can control/modify the ciphertext/plaintext being
decrypted/encrypted (CVE-2019-6690).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6690
https://lists.opensuse.org/opensuse-updates/2019-02/msg00034.html
========================

Updated packages in core/updates_testing:
========================
python-gnupg-0.4.4-1.mga6
python3-gnupg-0.4.4-1.mga6

from python-gnupg-0.4.4-1.mga6.src.rpm

Severity: normal => major
Status comment: Fixed upstream in 0.4.4 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 Herman Viaene 2019-02-12 11:08:50 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
# urpmq --whatrequires python3-gnupg
mageiasync
python3-gnupg
So I installed mageiasync and pointed it to my Downloads folder which has never been used for mageiasync or gpg before.
$ strace -o pyth3gpg.txt mageiasync 
Signature file /home/tester6/Downloads/Mageia-7-beta2-Live-Xfce-i586/Mageia-7-beta2-Live-Xfce-i586.iso.md5.gpg not found
And in the trace there is no ref to gnupg (of course???)
The download completed successfully.
So that leaves me with a clean install.

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2019-02-22 13:41:12 CET
Re comment #3:
Yes the gpg signature files are not provided any more but the tools are configured to search for them by the look of it.  Using --whatrequires-recursive turns up isodumper as well and that loads libgpg-error.so.0.  As you found, python3-gnupg will not be called into play if the signature file is not found.
So you should allot the 32-bit OK on the basis of your clean install.

CC: (none) => tarazed25


Note You need to log in before you can comment on or make changes to this bug.