Debian Bug report logs -
#901574
pass: Security Vulnerability: Faulty GPG Signature Checking (CVE-2018-12356)
Reported by: Wesley Schwengle <wesley@schwengle.net>
Date: Thu, 14 Jun 2018 22:12:02 UTC
Severity: grave
Found in version password-store/1.7.1-4
Fixed in version password-store/1.7.2-1
Done: Colin Watson <cjwatson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, wesley@schwengle.net, Colin Watson <cjwatson@debian.org>:
Bug#901574; Package pass.
(Thu, 14 Jun 2018 22:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Wesley Schwengle <wesley@schwengle.net>:
New Bug report received and forwarded. Copy sent to wesley@schwengle.net, Colin Watson <cjwatson@debian.org>.
(Thu, 14 Jun 2018 22:12:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: pass
Version: 1.6.5-7
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
I was reading https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html and checked my installation and saw the security fix wasn't applied yet.
Please apply commit:
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d
See also:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/11310766438958f0166ac0ba0d77fe0174f6e937
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 9.4
APT prefers stable
APT policy: (999, 'stable'), (900, 'testing'), (400, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=en_US:en (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages pass depends on:
ii gnupg 2.1.18-8~deb9u2
ii gnupg2 2.1.18-8~deb9u2
ii pwgen 2.07-1.1+b1
ii tree 1.7.0-5
Versions of packages pass recommends:
ii git 1:2.11.0-3+deb9u3
ii gnupg2 2.1.18-8~deb9u2
ii xclip 0.12+svn84-4+b1
Versions of packages pass suggests:
ii libxml-simple-perl 2.22-1
iu perl 5.24.1-3+deb9u4
ii ruby 1:2.3.3
-- no debconf information
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Thu, 14 Jun 2018 22:21:02 GMT) (full text, mbox, link).
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(Fri, 15 Jun 2018 00:51:03 GMT) (full text, mbox, link).
Notification sent
to Wesley Schwengle <wesley@schwengle.net>:
Bug acknowledged by developer.
(Fri, 15 Jun 2018 00:51:03 GMT) (full text, mbox, link).
Message #12 received at 901574-close@bugs.debian.org (full text, mbox, reply):
Source: password-store
Source-Version: 1.7.2-1
We believe that the bug you reported is fixed in the latest version of
password-store, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901574@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated password-store package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Jun 2018 01:16:58 +0100
Source: password-store
Binary: pass
Architecture: source
Version: 1.7.2-1
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <cjwatson@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
pass - lightweight directory-based password manager
Closes: 901574
Changes:
password-store (1.7.2-1) unstable; urgency=medium
.
* New upstream release:
- CVE-2018-12356: Ensure signature regexes are anchored (closes:
#901574).
Checksums-Sha1:
b1ea37522f359b62c649d7a295641ebeeca869aa 1892 password-store_1.7.2-1.dsc
d8027e01634cec0694a5513ab6950e639cf2c69c 63620 password-store_1.7.2.orig.tar.xz
69aae8d84360bee5978e66afbf6241bc779c67c9 6288 password-store_1.7.2-1.debian.tar.xz
acc6afe41737756b321a3dddad9b3799d62b417c 10724 password-store_1.7.2-1_source.buildinfo
Checksums-Sha256:
8484d389c7e44716d8c12497be66e35ea3f6f03f8cfbbb0b9af5f639ec2e574a 1892 password-store_1.7.2-1.dsc
4768c5e1965c4d2aeb28818681e484fb105b6f46cbd75a97608615c4ec6980ea 63620 password-store_1.7.2.orig.tar.xz
86e3c09b5d4e5c4b7a4079a4c09858182d71eba0ea49d143434231fe2c2da461 6288 password-store_1.7.2-1.debian.tar.xz
270a21afb11669dff9a0a0fd2e694c1a9f9fe3c8cc9b5f2b70800698e9dd52a0 10724 password-store_1.7.2-1_source.buildinfo
Files:
50612f4566c3b8ad0da0667a068acad8 1892 admin optional password-store_1.7.2-1.dsc
6e2fd1baae2354fe03fae85e403505be 63620 admin optional password-store_1.7.2.orig.tar.xz
57e70ed142f43f81a13d05b76af974f3 6288 admin optional password-store_1.7.2-1.debian.tar.xz
4941737e59a4b7b326332dafd6bb9bd1 10724 admin optional password-store_1.7.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlsjBZEACgkQOTWH2X2G
UAtdEg/+KtXsuzWutZVcJscDAbnHdxDu0QnccJy9V0+M3MSF8e4YXiq8w8ZdS07E
osT8TCh7yY74VIRsD1VYgqA61lWz5SyG5KpPobGn8PTP98Hmpvum+BQZyGYOEwmj
JI3Y+TYDkRV00NR6ilcapwRQS/qRcRsme+Zx9qiMYxaPxBYlDXpg+gGQVV6gEV/8
87TPsc8SuPKOHMrNj48+M5YInncIcfRCDKgN7Dlr+Bn/dacl/38DWkNc3eRgOIeM
NxwIDFaBbz+M5Ypd83xJ5XoxcKNd78uxrvIzbHTjHcaBBxc6C7SO6iz1O/f6zs2S
ONJL7M3uE6sUl6xU1BbwFiRxkA9IAJi1whhTQE38YF6UD2HFlwTtqIaHunQdZli0
N5f+Z4cG4DIOP6Tznnuem7Hv1obhAXHPtHGNCAEZ5SOtKefVQxDdT4zyZtVUomIY
K6pwsKjqDlbrYcs1yCyq5uytIGY4JVanh4aSCKxT4ssOzvgFajoTqYfpGXhvYmHG
BbgC2aPPhxZzV8cpUO1gRIqvpL62gxajOn6uBS551XeecaTdHtI8OuIBaZGpcxpS
+scLASRuCVgRzULTO+1a9PypRmFh4nOl42nkKjWHs7jd/CPC2C7RvmR81kAwz82W
Nd0SRtFMJzGna9+WVSTDsUtgCUmccPrLowIeaEQHrLbXeIi3Lrk=
=7VKd
-----END PGP SIGNATURE-----
Marked as found in versions password-store/1.7.1-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 Jun 2018 03:57:04 GMT) (full text, mbox, link).
No longer marked as found in versions password-store/1.6.5-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 Jun 2018 04:12:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 18 Jul 2018 07:31:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:33:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon