1 |
type: security |
2 |
subject: Updated python-gnupg packages fix security vulnerability |
3 |
CVE: |
4 |
- CVE-2019-6690 |
5 |
src: |
6 |
6: |
7 |
core: |
8 |
- python-gnupg-0.4.4-1.mga6 |
9 |
description: | |
10 |
When symmetric encryption is used, data can be injected through the |
11 |
passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() |
12 |
methods. The supplied passphrase is not validated for newlines, and the |
13 |
library passes --passphrase-fd=0 to the gpg executable, which expects the |
14 |
passphrase on the first line of stdin, and the ciphertext to be decrypted |
15 |
or plaintext to be encrypted on subsequent lines. By supplying a passphrase |
16 |
containing a newline an attacker can control/modify the ciphertext/plaintext |
17 |
being decrypted/encrypted (CVE-2019-6690). |
18 |
references: |
19 |
- https://bugs.mageia.org/show_bug.cgi?id=24341 |
20 |
- https://lists.opensuse.org/opensuse-updates/2019-02/msg00034.html |
21 |
ID: MGASA-2019-0105 |