EIQ-2019-0002#

ID

EIQ-2019-0002

CVE

CVE-2019-6690

Description

Improper input validation in python-gnupg 0.4.3.

Date

07 Mar 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.3.4

Assessment

When symmetric encryption is used, it is possible to inject data through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods.

The supplied passphrase is not validated for new lines. The library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plain text to be encrypted on subsequent lines.

By supplying a passphrase containing a new line an attacker can control and/or modify the ciphertext/plain text being decrypted and/or encrypted.

Mitigation

Update to python-gnupg 0.4.4.

Affected versions

2.1.0 to 2.3.3 included.

Notes

For more information, see CVE-2019-6690: Improper Input Validation in python-gnupg.