CVE-2019-6690

Published: 21 March 2019

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

From the Ubuntu security team

It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
python-gnupg
Launchpad, Ubuntu, Debian
Upstream
Released (0.4.4-1)
Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.4.1-1ubuntu1.18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Needed