back to article Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug

Security researcher Marcus Brinkmann has turned up another vulnerability in the GnuPG cryptographic library, this time specific to the Simple Password Store. Brinkmann explained that CVE-2018-12356 offers both access to passwords and possible remote code execution. This bug is an incomplete regex in GnuPG's signature …

  1. Anonymous Coward
    Anonymous Coward

    Always check your inputs

    Love Bobby Tables

    1. Charles 9

      Re: Always check your inputs

      Don't trust anything. Always assume the previous process is lying to you and the next process can't understand you.

  2. Hans 1
    Pint

    Thanks, Marcus!

    Pints due!

    Danke!

  3. ArrZarr Silver badge
    Joke

    I think he's been aiming to get in 11 bugs earlier for the big ticket number prestige.

  4. Crypto Monad Silver badge

    The real problem is...

    ... parsing unstructured output from the stdout of a command-line tool is not what you could call a robust API.

    If the tool had a mode to output JSON or XML, that might be better - as long as you parse it with a correspondingly robust library. But here we're talking about a shell script parsing the output of some other command, which is a recipe for security disaster.

    In my experience, most shell scripts I come across are littered with errors waiting to explode. The most common is unquoted variable expansions:

    rm $filename

    instead of

    rm -- "$filename"

    The former doesn't work if $filename contains a space. But it could also do very nasty things if the filename is, say, "-rf --no-preserve-root /"

    1. Nick Kew

      Re: The real problem is...

      Wot, you mean to say there might be a bug in my script? Yep, a commandline tool in a traditional unix pipeline doesn't belong in a security-critical situation. In the case of gnupg I can't even rely on $? .

      Though I'm not sure XML or JSON would really help much more than plain ol' CSV or ... um ... ASCII. What I could really use is a libgnupg, to include a high-level API matching gpg commandline options.

      1. Crypto Monad Silver badge

        Re: The real problem is...

        Agreed. Exit status would be reasonable for this sort of thing, but as you've found they don't bother to set it in important situations, nor even document the exit codes in the manpage.

        Have a look at gpgme for the API, although it's probably not as high-level as you'd like.

      2. Anonymous Coward
        Anonymous Coward

        Re: The real problem is...

        ASCII? Come, come, there’s more than one language in the world, you know!

  5. GnuTzu

    Strict Regexes

    There are times to use loose regexes, and there are times to strict ones--even extremely strict ones. Which do you suppose is appropriate for parameter validation? That's a rhetorical quest in case it isn't obvious.

  6. Claptrap314 Silver badge

    It's been mentioned before, but I'm convinced that the "be strict in what you send, and generous in what you accept" ethic is a security fail. It's part of the old-world Unix culture that we're all friends here.

    Uggh. Time to rewrite parameter parsing for everything?

    1. Charles 9

      I don't think you CAN rewrite it to cover all situations. Strict processes can be bombed with bad input, while loose ones can be exploited a la Confused Deputy. Neither one is desirable depending on the circumstances (which may not be the same even within the same process--and you may not even know which applies).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like