An issue exists in password-store.sh in pass in Simple Password Store 1.7.x prior to 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote malicious users to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the malicious user to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
simple password store project simple password store |
Brinkmann files third signature spoof vulnerability in a month GnuPG patched to thwart 'fake filename'
Security researcher Marcus Brinkmann has turned up another vulnerability in the GnuPG cryptographic library, this time specific to the Simple Password Store. Brinkmann explained that CVE-2018-12356 offers both access to passwords and possible remote code execution. This bug is an incomplete regex in GnuPG's signature verification routine, meaning an attacker can spoof file signatures on configuration files and extension scripts (Brinkmann has dubbed the bug “SigSpoof 3” as the third signatur...