Re : Re: [oss-security] CVE-2018-12020 in GnuPG

[Stiepan <stie@itk.swiss>]

Hello to both,

This responsibility discussion is all well and fine, but now that this is half-public, may we know for sure whether we 
are affected :
1. as debian(-like) package consumers
2. as users of GPG for other purposes, such as webmail (have CC-ed protonmail to that regard)
and since when, so as to do proper rollbacks or other applicable mitigations (w.r.t packages) ?
By the way, this is why I think disclosure of such issues and mitigations should be a matter discussed at an official 
international forum such as the ITU is, before everything gets out.

Enjoy your Sunday,
Stiepan A. Kovac
President
itk AVtobvS SARL

Envoyé depuis ProtonMail mobile

-------- Message d'origine --------
On 9 juin 2018 à 2:02, Marcus Brinkmann a écrit :

> Hi,
>
> On 06/08/2018 09:36 PM, Yves-Alexis Perez wrote:
> > Hi everybody,
> >
> > just a heads up, since we weren't notified in advance and it's Friday evening
> > (in Europe at least).
>
> Yes. I tried to disclose this responsibly with Werner Koch (and in
> coordination with other affected projects), but within two hours he did
> a unilateral full disclosure without getting back to me.
>
> :(
>
> > There's a nasty vulnerability in GnuPG which can be apparently used to bypass
> > signature verification when a program calls gpg to verify a signature and
> > parses the output:
> >
> > https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
> > https://dev.gnupg.org/T4012
> >
> > It might be worth checking whether package managers signature verification is
> > affected.
> >
> > Apt doesn't seems affected at first sight (it uses gpgv) but we'll double
> > check.
>
> I am still handling this under responsible disclosure. This is why I
> have not spoken out yet, and the CVE is not public. But what you say is
> important and correct.
>
> Thanks,
> Marcus