Accepted python-gnupg 0.3.6-1+deb8u1 (source all) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Feb 2019 13:26:00 +0100
Source: python-gnupg
Binary: python-gnupg python3-gnupg
Architecture: source all
Version: 0.3.6-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Elena Grandi <elena.valhalla@gmail.com>
Changed-By: Markus Koschany <apo@debian.org>
Description:
python-gnupg - Python wrapper for the Gnu Privacy Guard (Python 2.x)
python3-gnupg - Python wrapper for the Gnu Privacy Guard (Python 3.x)
Changes:
python-gnupg (0.3.6-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2019-6690:
Alexander Kjäll and Stig Palmquist discovered a vulnerability in
python-gnupg, a wrapper around GNU Privacy Guard. It was possible to inject
data through the passphrase property of the gnupg.GPG.encrypt() and
gnupg.GPG.decrypt() functions when symmetric encryption is used. The
supplied passphrase is not validated for newlines, and the library passes
--passphrase-fd=0 to the gpg executable, which expects the passphrase on
the first line of stdin, and the ciphertext to be decrypted or plaintext to
be encrypted on sebsequent lines.
By supplying a passphrase containing a newline an attacker can
control/modify the ciphertext/plaintext being decrypted/encrypted.
Checksums-Sha1:
82aa3a81bc8b7837caaf12e0c1d7a8d01793e0e4 2308 python-gnupg_0.3.6-1+deb8u1.dsc
4661039e19e357bfd310bd067b212475c8fffb7e 20855 python-gnupg_0.3.6.orig.tar.gz
6d90f9c352485b88c8ac6546c98484d3daeaf405 5828 python-gnupg_0.3.6-1+deb8u1.debian.tar.xz
2b6ecc5a5e27bbcf35fe366cb974f7d56f7454f1 15230 python-gnupg_0.3.6-1+deb8u1_all.deb
89943ad8ff6d854fdd336ce91665f6f318a133b4 15322 python3-gnupg_0.3.6-1+deb8u1_all.deb
Checksums-Sha256:
7c1b77d3f4d48badc71460db6a5553f4262b5675b1dd08ddc61daeaf10b13272 2308 python-gnupg_0.3.6-1+deb8u1.dsc
ffdfad1824fbde8ab94c50e08040edd6a82b4095c187994954471a38c45a094a 20855 python-gnupg_0.3.6.orig.tar.gz
03e3e5fc82a81e5f5c9c6ea7d273aabb17a1478609bdb33d107eb07cba296b3c 5828 python-gnupg_0.3.6-1+deb8u1.debian.tar.xz
a4313678e392f320561af98246f9741179a5f47e85e37b236e0ce55e7d3db42b 15230 python-gnupg_0.3.6-1+deb8u1_all.deb
ed5056179509de233b373800f541887e1344196923401126726797e341609d7d 15322 python3-gnupg_0.3.6-1+deb8u1_all.deb
Files:
443335e38f99c7e517635cfdc2a8768a 2308 python optional python-gnupg_0.3.6-1+deb8u1.dsc
27415bead227e8c6906900b7c777120c 20855 python optional python-gnupg_0.3.6.orig.tar.gz
1eea4a4caa1ffef1ecbd6e8e977a2a8c 5828 python optional python-gnupg_0.3.6-1+deb8u1.debian.tar.xz
957f93f7717b8dfb216f862413d7177d 15230 python optional python-gnupg_0.3.6-1+deb8u1_all.deb
df6f2cc4f0c7b580bc64489df4f898e1 15322 python optional python3-gnupg_0.3.6-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlxlbdlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkOZYQAJzyKa8o9sb5eo8KNtUWh729LlUrSXOR2zch
COOt6+ldWIjCjziY+XTV6qykMga06/TlRFHcLhBXYD7zi13Ie09B81f4S3ourRrH
Q4uKKU4ooQgfhJpNeh+QA2qACZMHUZDrEvC9I1bTaVLkOMXnZrPPpsbUt/zbyAB3
WoVBdeyoAHM0F8ToqkDtk61S/JKWZCGvmA+yv0gDTwctNzuIIx94fUb0vBPMazf6
LjOPBw7kGI1apLz37t3k4210rS7+MyC9EYGf6AsYVUSqZHkZH1rmzXmighiMC7d2
qBvFptpbrX9BfY3+JTKYwVjIp1VmMDNZouQrN0IifZkAMlg4zJ8q15lOOYoIuFYm
fIr0r98yBokJ32F+eFlrdATvAJYZ75Xmw8AU2nUaNPj5PVlkjDLCQYxiQE8+Pver
jXQ5LM70TUmV+J9baY6FGUO2m71tj/HssUao4A3bd7/T1f5HQov99uebo53bxLvM
4xpUo4ND+WAQSIS30+uiIfv3FpFVJICg7WU3Cbv0Zl2DlYK4gKz98ieDVYQjAlsI
rESRErbMITq5kgGraVizZ2/8soZ87iL9qmCkRycsntFn7YoboOfXTaKIBX8dVtF8
5qbWtr70b4H66/ZnU8LmlWY/4+1nu+6GTLcu43oppncP2ln8ZbIvzPADhxAxvyJG
0jbDlsCT
=8z82
-----END PGP SIGNATURE-----
Reply to: