FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

password-store -- GPG parsing vulnerabilities

Affected packages
password-store < 1.7.2

Details

VuXML ID 53eb9e1e-7014-11e8-8b1f-3065ec8fd3ec
Discovery 2018-06-14
Entry 2018-06-14

Jason A. Donenfeld reports:

Markus Brinkmann discovered that [the] parsing of gpg command line output with regexes isn't anchored to the beginning of the line, which means an attacker can generate a malicious key that simply has the verification string as part of its username.

This has a number of nasty consequences:

References

CVE Name CVE-2018-12356
URL https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html