MGASA-2019-0105

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0105.html

Import Source

https://advisories.mageia.org/MGASA-2019-0105.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2019-0105

Related

CVE-2019-6690

Published

2019-03-07T16:34:45Z

Modified

2019-03-07T16:07:29Z

Summary

Updated python-gnupg packages fix security vulnerability

Details

When symmetric encryption is used, data can be injected through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods. The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines. By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted (CVE-2019-6690).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

MGASA-2019-0105

Affected packages