Your submission was sent successfully! Close

CVE-2019-6690

Published: 21 March 2019

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

From the Ubuntu Security Team

It was discovered that python-gnupg incorrectly handled the GPG passphrase. A remote attacker could send a specially crafted passphrase that would allow them to control the output of encryption and decryption operations.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
python-gnupg
Launchpad, Ubuntu, Debian
bionic
Released (0.4.1-1ubuntu1.18.04.1)
cosmic
Released (0.4.1-1ubuntu1.18.10.1)
disco
Released (0.4.3-1ubuntu1.19.04.1)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

kinetic Needed

precise Does not exist

trusty Needed

upstream
Released (0.4.4-1)
xenial Ignored
(end of standard support, was needed)