CVE-2018-12356 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-727	firefox	60.0.2-1	61.0-1	Critical	Fixed
AVG-720	pass	1.7.1-1	1.7.2-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
27 Jun 2018	ASA-201806-14	AVG-727	firefox	Critical	multiple issues
19 Jun 2018	ASA-201806-11	AVG-720	pass	High	arbitrary code execution

References
https://neopg.io/blog/pass-signature-spoof/ https://marc.info/?l=oss-security&m=152901317028506 https://github.com/zx2c4/password-store/commit/8683403b77f59c56fcb1f05c61ab33b9fd61a30d