advisories/24341.adv

type: security
subject: Updated python-gnupg packages fix security vulnerability
CVE:
 - CVE-2019-6690
src:
  6:
   core:
     - python-gnupg-0.4.4-1.mga6
description: |
  When symmetric encryption is used, data can be injected through the
  passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt()
  methods. The supplied passphrase is not validated for newlines, and the
  library passes --passphrase-fd=0 to the gpg executable, which expects the
  passphrase on the first line of stdin, and the ciphertext to be decrypted
  or plaintext to be encrypted on subsequent lines. By supplying a passphrase
  containing a newline an attacker can control/modify the ciphertext/plaintext
  being decrypted/encrypted (CVE-2019-6690).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24341
 - https://lists.opensuse.org/opensuse-updates/2019-02/msg00034.html
ID: MGASA-2019-0105
1	type: security
2	subject: Updated python-gnupg packages fix security vulnerability
3	CVE:
4	- CVE-2019-6690
5	src:
6	6:
7	core:
8	- python-gnupg-0.4.4-1.mga6
9	description: \|
10	When symmetric encryption is used, data can be injected through the
11	passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt()
12	methods. The supplied passphrase is not validated for newlines, and the
13	library passes --passphrase-fd=0 to the gpg executable, which expects the
14	passphrase on the first line of stdin, and the ciphertext to be decrypted
15	or plaintext to be encrypted on subsequent lines. By supplying a passphrase
16	containing a newline an attacker can control/modify the ciphertext/plaintext
17	being decrypted/encrypted (CVE-2019-6690).
18	references:
19	- https://bugs.mageia.org/show_bug.cgi?id=24341
20	- https://lists.opensuse.org/opensuse-updates/2019-02/msg00034.html
21	ID: MGASA-2019-0105