-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : python-gnupg Version : 0.3.6-1+deb8u1 CVE ID : CVE-2019-6690
Alexander Kjäll and Stig Palmquist discovered a vulnerability in python-gnupg, a wrapper around GNU Privacy Guard. It was possible to inject data through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() functions when symmetric encryption is used. The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines. By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted. For Debian 8 "Jessie", this problem has been fixed in version 0.3.6-1+deb8u1. We recommend that you upgrade your python-gnupg packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxldHtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQl5w//XKusdcP0GTBoFF62Jqxc1WdS9enOs0/++poqnAcGumryLriGcSVmRdqW w/svaz5ShVTCx5renJOrLyzi8ODNgFHYfPCFHPERw5ZvPBnClH6KV7Cv25q+II+q aOlE1Ylfo1jLMT2EHP5Mp79Z149NqCeODxeErGEBOhVJOohr7mr6+B4Ucj8W2KkZ M/uMcIdhlCbZjlfPbL8po4Hjz5Q6yoFN9wzHDzbkPQhHGN0/LQhj/ziw98vayI4P MhU4GLe/N5txndSQ3Sk2DJ1mlAfaE55v2GvLIomQL/YYlTClQ146of+0UWE1HOEm 3OUlXnc4pN6+iExH2vWjjqP7j6CPlQ2QrvHUqS44Y0tTPswueuBe2d4v/6WU+f0N SF52jfFBDyTmAN5HUwLEHWqVdrL22T2y+w7IYmKMwq2KNDB+YFiBxPJUqUkPJm9G ciqCO3/9RxT6VP7Fo+IUyxFQGC6jLwzKPB406pGn77cTadI/aEDC/kw4k4lMkCtP fOIioSyG7jOUyHAwTmluN5xxPNPUSeJGZDRokopvymB2IZtFWgVcnoJ3e6pgVr4J Wke/4tb4JHeJMGLuViYCgR1X8CGxLVo6nmoAUjpllMOsARfkZJ71yCi1LMjReCM0 x0oh7pXVUjCxK/E7WF6Y7DbP8y/lXWUsoRZxRHUuCYgXVf+ic2s= =oDDS -----END PGP SIGNATURE-----
