Python-gnupg Security Vulnerability [low priority]


#1

Short story: You can usually fix these vulnerabilities by upgrading and updating your packages. Do this by running this in a shell:

sudo apt-get update; sudo apt-get upgrade

I would think would be a “high” priority for Mail-in-a-Box users, since I believe Dovecot uses Python, and some users may be signing their emails with Python on their clients (or using a client that uses Python), which may be using Ubuntu Desktop. I just saw that this uses Ubuntu 19.04, 18.10, and 18.04 LTS. @murgero, @JoshData, @alento, am I wrong on my assessment?

Here is what Canonical says about the first one: “Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed. (CVE-2018-12020)”

Here is what Canonical says about the other one: “It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations. (CVE-2019-6690)”

https://usn.ubuntu.com/3964-1/

CVE-2018-12020
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12020.html
Debian: https://security-tracker.debian.org/tracker/CVE-2018-12020
Priority: Medium
(medium: “Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.”)
Description: “mainproc.c in GnuPG before 2.2.8 mishandles the original filename during
decryption and verification actions, which allows remote attackers to spoof
the output that GnuPG sends on file descriptor 2 to other programs that use
the “–status-fd 2” option. For example, the OpenPGP data might represent
an original filename that contains line feed characters in conjunction with
GOODSIG or VALIDSIG status codes.”

CVE-2019-6690
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6690.html
Debian: https://security-tracker.debian.org/tracker/CVE-2019-6690
Priority: Medium
(medium: “Open vulnerability that is a real problem and is exploitable for many users of the affected software. Examples include network daemon denial of service, cross-site scripting and gaining user privileges.”)
Description: “python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to
decrypt other ciphertext than intended. To perform the attack, the
passphrase to gnupg must be controlled by the adversary and the ciphertext
should be trusted. Related to a “CWE-20: Improper Input Validation” issue
affecting the affect functionality component.”


#2

I am pretty sure this would not affect Mail-in-a-Box. It’s possible the backups use python-gnupg, but there’s no risk that the passphrase would be controlled by an adversary.


#3

Good to know. @JoshData, I changed this to “low” priority then.