Thank you merci Le Jeu 14 Fév 2019 15:00, Markus Koschany <a...@debian.org> a écrit :
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Package : python-gnupg > Version : 0.3.6-1+deb8u1 > CVE ID : CVE-2019-6690 > > Alexander Kjäll and Stig Palmquist discovered a vulnerability in > python-gnupg, a wrapper around GNU Privacy Guard. It was possible to > inject data through the passphrase property of the gnupg.GPG.encrypt() > and gnupg.GPG.decrypt() functions when symmetric encryption is used. > The supplied passphrase is not validated for newlines, and the library > passes --passphrase-fd=0 to the gpg executable, which expects the > passphrase on the first line of stdin, and the ciphertext to be > decrypted or plaintext to be encrypted on subsequent lines. > > By supplying a passphrase containing a newline an attacker can > control/modify the ciphertext/plaintext being decrypted/encrypted. > > > For Debian 8 "Jessie", this problem has been fixed in version > 0.3.6-1+deb8u1. > > We recommend that you upgrade your python-gnupg packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS > -----BEGIN PGP SIGNATURE----- > > iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxldHtfFIAAAAAALgAo > aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD > RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 > UeQl5w//XKusdcP0GTBoFF62Jqxc1WdS9enOs0/++poqnAcGumryLriGcSVmRdqW > w/svaz5ShVTCx5renJOrLyzi8ODNgFHYfPCFHPERw5ZvPBnClH6KV7Cv25q+II+q > aOlE1Ylfo1jLMT2EHP5Mp79Z149NqCeODxeErGEBOhVJOohr7mr6+B4Ucj8W2KkZ > M/uMcIdhlCbZjlfPbL8po4Hjz5Q6yoFN9wzHDzbkPQhHGN0/LQhj/ziw98vayI4P > MhU4GLe/N5txndSQ3Sk2DJ1mlAfaE55v2GvLIomQL/YYlTClQ146of+0UWE1HOEm > 3OUlXnc4pN6+iExH2vWjjqP7j6CPlQ2QrvHUqS44Y0tTPswueuBe2d4v/6WU+f0N > SF52jfFBDyTmAN5HUwLEHWqVdrL22T2y+w7IYmKMwq2KNDB+YFiBxPJUqUkPJm9G > ciqCO3/9RxT6VP7Fo+IUyxFQGC6jLwzKPB406pGn77cTadI/aEDC/kw4k4lMkCtP > fOIioSyG7jOUyHAwTmluN5xxPNPUSeJGZDRokopvymB2IZtFWgVcnoJ3e6pgVr4J > Wke/4tb4JHeJMGLuViYCgR1X8CGxLVo6nmoAUjpllMOsARfkZJ71yCi1LMjReCM0 > x0oh7pXVUjCxK/E7WF6Y7DbP8y/lXWUsoRZxRHUuCYgXVf+ic2s= > =oDDS > -----END PGP SIGNATURE----- > >
