CVE-2019-6690
Published: 21 March 2019
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.
From the Ubuntu security team
It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
python-gnupg Launchpad, Ubuntu, Debian |
Upstream |
Released
(0.4.4-1)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Needed
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Ignored
(reached end-of-life)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Needed
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(0.4.1-1ubuntu1.18.04.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(end of standard support, was needed)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6690
- https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability
- https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112
- https://github.com/vsajip/python-gnupg/commit/3003b654ca1c29b0510a54b9848571b3ad57df19#diff-88b99bb28683bd5b7e3a204826ead112
- https://ubuntu.com/security/notices/USN-3964-1
- NVD
- Launchpad
- Debian