VulnerableCode Package Details - pkg:deb/ubuntu/python-gnupg@0.3.6-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-4u1u-zxbs-aaag Aliases: CVE-2018-12020	mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.	0.4.3-1ubuntu1 Affected by 0 other vulnerabilities.
VCID-f7z6-jm9f-aaap Aliases: CVE-2019-6690 GHSA-2fch-jvg5-crf6 GHSA-qh62-ch95-63wh PYSEC-2019-115 PYSEC-2019-45	python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.	0.4.1-1ubuntu1.18.04.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-4u1u-zxbs-aaag
Aliases:
CVE-2018-12020

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

0.4.3-1ubuntu1
Affected by 0 other vulnerabilities.

VCID-f7z6-jm9f-aaap
Aliases:
CVE-2019-6690
GHSA-2fch-jvg5-crf6
GHSA-qh62-ch95-63wh
PYSEC-2019-115
PYSEC-2019-45

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

0.4.1-1ubuntu1.18.04.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-1w6t-r8pu-aaas	python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.	CVE-2013-7323 GHSA-c2fx-8r76-gh36 PYSEC-2014-89
VCID-hx2x-2bd6-aaag	python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.	CVE-2014-1929 GHSA-vcr5-xr9h-mvc5 PYSEC-2014-92
VCID-rv7m-a4aw-aaas	The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.	CVE-2014-1928 GHSA-2jc8-4r6g-282j PYSEC-2014-91
VCID-swze-zwv1-aaaq	The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.	CVE-2014-1927 GHSA-r3vr-prwv-86g9 PYSEC-2014-90

Vulnerability

Summary

Aliases

VCID-1w6t-r8pu-aaas

python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

CVE-2013-7323
GHSA-c2fx-8r76-gh36
PYSEC-2014-89

VCID-hx2x-2bd6-aaag

python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-1929
GHSA-vcr5-xr9h-mvc5
PYSEC-2014-92

VCID-rv7m-a4aw-aaas

The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-1928
GHSA-2jc8-4r6g-282j
PYSEC-2014-91

VCID-swze-zwv1-aaaq

The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-1927
GHSA-r3vr-prwv-86g9
PYSEC-2014-90

Next non-vulnerable version	0.4.3-1ubuntu1
Latest non-vulnerable version	0.4.3-1ubuntu1
Risk	4.0