CVE-2019-6690
Published: 21 March 2019
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
From the Ubuntu Security Team
It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
python-gnupg Launchpad, Ubuntu, Debian |
bionic |
Released
(0.4.1-1ubuntu1.18.04.1)
|
| cosmic |
Released
(0.4.1-1ubuntu1.18.10.1)
|
|
| disco |
Released
(0.4.3-1ubuntu1.19.04.1)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Needed
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needed
|
|
| kinetic |
Needed
|
|
| precise |
Does not exist
|
|
| trusty |
Needed
|
|
| upstream |
Released
(0.4.4-1)
|
|
| xenial |
Ignored
(end of standard support, was needed)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6690
- https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability
- https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112
- https://github.com/vsajip/python-gnupg/commit/3003b654ca1c29b0510a54b9848571b3ad57df19#diff-88b99bb28683bd5b7e3a204826ead112
- https://ubuntu.com/security/notices/USN-3964-1
- NVD
- Launchpad
- Debian