CVE-2018-12356

Source
Severity High
Remote Yes
Type Arbitrary code execution
Description
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
Group Package Affected Fixed Severity Status Ticket
AVG-727 firefox 60.0.2-1 61.0-1 Critical Fixed
AVG-720 pass 1.7.1-1 1.7.2-1 High Fixed
Date Advisory Group Package Severity Description
27 Jun 2018 ASA-201806-14 AVG-727 firefox Critical multiple issues
19 Jun 2018 ASA-201806-11 AVG-720 pass High arbitrary code execution
References
https://neopg.io/blog/pass-signature-spoof/
https://marc.info/?l=oss-security&m=152901317028506
https://github.com/zx2c4/password-store/commit/8683403b77f59c56fcb1f05c61ab33b9fd61a30d