[Announce] [security fix] GnuPG 2.2.8 released (CVE-2018-12020)
Andre Heinecke
aheinecke at intevation.de
Fri Jun 8 17:03:07 CEST 2018
Hi,
I have a problem with the test
On Friday 8 June 2018 15:40:55 CEST Werner Koch wrote:
> [1] If you want to test whether you are affected by this bug, remove the
> indentation from the following block
>
> -----BEGIN PGP MESSAGE-----
>
> jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX
> +BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b
> 8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX
> rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ==
> =zswl
> -----END PGP MESSAGE-----
>
> and pass to this pipeline
>
> gpg --no-options -vd 2>&1 | grep '^\[GNUPG:] INJECTED'
>
> If you get some output you are using a non-fixed version.
It asks me for a symetric passphrase. I leave that blank. Then I get "No
secret key" error. The command with the grep will of course return nothing
Example:
$ cat cve201812020
-----BEGIN PGP MESSAGE-----
jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX
+BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b
8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX
rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ==
=zswl
-----END PGP MESSAGE-----
$ gpg --no-options -vd cve201812020
gpg: AES encrypted data
gpg: gcry_kdf_derive failed: Invalid data
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key
$ gpg --version
gpg (GnuPG) 2.2.8-beta1
Which should be affected.
Best regards and thanks for your quick fix for this.
Andre
--
Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180608/ce06a8b3/attachment.sig>
More information about the Gnupg-users
mailing list