EIQ-2019-0002



ID

EIQ-2019-0002

CVE

CVE-2019-6690

Description

Improper input validation in python-gnupg 0.4.3

Date

07 Mar 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.3.4

Assessment

When symmetric encryption is used, it is possible to inject data through the passphrase property of
the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods.

The supplied passphrase is not validated for new lines. The library passes --passphrase-fd=0 to the gpg executable, which expects the
passphrase on the first line of stdin, and the ciphertext to be decrypted or plain text to be encrypted on subsequent lines.

By supplying a passphrase containing a new line an attacker can control and/or modify the ciphertext/plain text being decrypted and/or encrypted.

Mitigation

Update to python-gnupg 0.4.4.

Affected versions

2.1.0 to 2.3.3 included.

Notes

For more information, see CVE-2019-6690: Improper Input Validation in python-gnupg.
n/a – the CVE is currently reserved.

< Back to all security issues and mitigation actions

In release notes 2.3.3

In release notes 2.3.4