Bug 24341 - python-gnupg new security issue CVE-2019-6690
Summary: python-gnupg new security issue CVE-2019-6690
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-02-10 22:52 CET by David Walser
Modified: 2019-03-07 17:35 CET (History)
5 users (show)

See Also:
Source RPM: python-gnupg-0.4.3-3.mga7.src.rpm
Status comment:


Description David Walser 2019-02-10 22:52:51 CET
openSUSE has issued an advisory on February 7:

The issue is fixed upstream in 0.4.4.

Mageia 6 is also affected.
David Walser 2019-02-10 22:53:01 CET

Whiteboard: (none) => MGA6TOO
CC: (none) => jani.valimaa

David Walser 2019-02-11 02:17:02 CET

Status comment: (none) => Fixed upstream in 0.4.4

Comment 1 Jani Välimaa 2019-02-11 17:24:49 CET
Pushed 0.4.4 to cauldron and mga6 core/updates_testing.
Comment 2 David Walser 2019-02-11 20:02:21 CET

Updated python-gnupg packages fix security vulnerability:

When symmetric encryption is used, data can be injected through the passphrase
property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods. The
supplied passphrase is not validated for newlines, and the library passes
--passphrase-fd=0 to the gpg executable, which expects the passphrase on the
first line of stdin, and the ciphertext to be decrypted or plaintext to be
encrypted on subsequent lines. By supplying a passphrase containing a newline
an attacker can control/modify the ciphertext/plaintext being
decrypted/encrypted (CVE-2019-6690).


Updated packages in core/updates_testing:

from python-gnupg-0.4.4-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Severity: normal => major
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 0.4.4 => (none)

Comment 3 Herman Viaene 2019-02-12 11:08:50 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
# urpmq --whatrequires python3-gnupg
So I installed mageiasync and pointed it to my Downloads folder which has never been used for mageiasync or gpg before.
$ strace -o pyth3gpg.txt mageiasync 
Signature file /home/tester6/Downloads/Mageia-7-beta2-Live-Xfce-i586/Mageia-7-beta2-Live-Xfce-i586.iso.md5.gpg not found
And in the trace there is no ref to gnupg (of course???)
The download completed successfully.
So that leaves me with a clean install.

CC: (none) => herman.viaene

Comment 4 Len Lawrence 2019-02-22 13:41:12 CET
Re comment #3:
Yes the gpg signature files are not provided any more but the tools are configured to search for them by the look of it.  Using --whatrequires-recursive turns up isodumper as well and that loads libgpg-error.so.0.  As you found, python3-gnupg will not be called into play if the signature file is not found.
So you should allot the 32-bit OK on the basis of your clean install.

CC: (none) => tarazed25

Herman Viaene 2019-03-04 10:22:38 CET

Whiteboard: (none) => MGA6-32-OK

Comment 5 Dave Hodgins 2019-03-06 22:58:19 CET
The gpg signatures are produced, but not until the iso images are released to the
public. mageiasync is now verifying the sigs. Note you must have the release key
on your keyring first, which you can get by running ...

$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 0xEDCA7A90

Advisory committed to svn. Validating the update.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2019-03-07 17:35:52 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.