-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 14 Feb 2019 13:26:00 +0100 Source: python-gnupg Binary: python-gnupg python3-gnupg Architecture: source all Version: 0.3.6-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Elena Grandi <elena.valhalla@gmail.com> Changed-By: Markus Koschany <apo@debian.org> Description: python-gnupg - Python wrapper for the Gnu Privacy Guard (Python 2.x) python3-gnupg - Python wrapper for the Gnu Privacy Guard (Python 3.x) Changes: python-gnupg (0.3.6-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-6690: Alexander Kjäll and Stig Palmquist discovered a vulnerability in python-gnupg, a wrapper around GNU Privacy Guard. It was possible to inject data through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() functions when symmetric encryption is used. The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on sebsequent lines. By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted. Checksums-Sha1: 82aa3a81bc8b7837caaf12e0c1d7a8d01793e0e4 2308 python-gnupg_0.3.6-1+deb8u1.dsc 4661039e19e357bfd310bd067b212475c8fffb7e 20855 python-gnupg_0.3.6.orig.tar.gz 6d90f9c352485b88c8ac6546c98484d3daeaf405 5828 python-gnupg_0.3.6-1+deb8u1.debian.tar.xz 2b6ecc5a5e27bbcf35fe366cb974f7d56f7454f1 15230 python-gnupg_0.3.6-1+deb8u1_all.deb 89943ad8ff6d854fdd336ce91665f6f318a133b4 15322 python3-gnupg_0.3.6-1+deb8u1_all.deb Checksums-Sha256: 7c1b77d3f4d48badc71460db6a5553f4262b5675b1dd08ddc61daeaf10b13272 2308 python-gnupg_0.3.6-1+deb8u1.dsc ffdfad1824fbde8ab94c50e08040edd6a82b4095c187994954471a38c45a094a 20855 python-gnupg_0.3.6.orig.tar.gz 03e3e5fc82a81e5f5c9c6ea7d273aabb17a1478609bdb33d107eb07cba296b3c 5828 python-gnupg_0.3.6-1+deb8u1.debian.tar.xz a4313678e392f320561af98246f9741179a5f47e85e37b236e0ce55e7d3db42b 15230 python-gnupg_0.3.6-1+deb8u1_all.deb ed5056179509de233b373800f541887e1344196923401126726797e341609d7d 15322 python3-gnupg_0.3.6-1+deb8u1_all.deb Files: 443335e38f99c7e517635cfdc2a8768a 2308 python optional python-gnupg_0.3.6-1+deb8u1.dsc 27415bead227e8c6906900b7c777120c 20855 python optional python-gnupg_0.3.6.orig.tar.gz 1eea4a4caa1ffef1ecbd6e8e977a2a8c 5828 python optional python-gnupg_0.3.6-1+deb8u1.debian.tar.xz 957f93f7717b8dfb216f862413d7177d 15230 python optional python-gnupg_0.3.6-1+deb8u1_all.deb df6f2cc4f0c7b580bc64489df4f898e1 15322 python optional python3-gnupg_0.3.6-1+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxlbdlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkOZYQAJzyKa8o9sb5eo8KNtUWh729LlUrSXOR2zch COOt6+ldWIjCjziY+XTV6qykMga06/TlRFHcLhBXYD7zi13Ie09B81f4S3ourRrH Q4uKKU4ooQgfhJpNeh+QA2qACZMHUZDrEvC9I1bTaVLkOMXnZrPPpsbUt/zbyAB3 WoVBdeyoAHM0F8ToqkDtk61S/JKWZCGvmA+yv0gDTwctNzuIIx94fUb0vBPMazf6 LjOPBw7kGI1apLz37t3k4210rS7+MyC9EYGf6AsYVUSqZHkZH1rmzXmighiMC7d2 qBvFptpbrX9BfY3+JTKYwVjIp1VmMDNZouQrN0IifZkAMlg4zJ8q15lOOYoIuFYm fIr0r98yBokJ32F+eFlrdATvAJYZ75Xmw8AU2nUaNPj5PVlkjDLCQYxiQE8+Pver jXQ5LM70TUmV+J9baY6FGUO2m71tj/HssUao4A3bd7/T1f5HQov99uebo53bxLvM 4xpUo4ND+WAQSIS30+uiIfv3FpFVJICg7WU3Cbv0Zl2DlYK4gKz98ieDVYQjAlsI rESRErbMITq5kgGraVizZ2/8soZ87iL9qmCkRycsntFn7YoboOfXTaKIBX8dVtF8 5qbWtr70b4H66/ZnU8LmlWY/4+1nu+6GTLcu43oppncP2ln8ZbIvzPADhxAxvyJG 0jbDlsCT =8z82 -----END PGP SIGNATURE-----
