VulnerableCode Package Details - pkg:deb/ubuntu/python-gnupg@0.3.5-1svn1

Search for packages

Vulnerability	Summary	Fixed by
VCID-1w6t-r8pu-aaas Aliases: CVE-2013-7323 GHSA-c2fx-8r76-gh36 PYSEC-2014-89	python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.	0.3.6-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-4u1u-zxbs-aaag Aliases: CVE-2018-12020	mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.	0.4.3-1ubuntu1 Affected by 0 other vulnerabilities.
VCID-f7z6-jm9f-aaap Aliases: CVE-2019-6690 GHSA-2fch-jvg5-crf6 GHSA-qh62-ch95-63wh PYSEC-2019-115 PYSEC-2019-45	python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.	0.4.1-1ubuntu1.18.04.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-hx2x-2bd6-aaag Aliases: CVE-2014-1929 GHSA-vcr5-xr9h-mvc5 PYSEC-2014-92	python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.	0.3.6-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-rv7m-a4aw-aaas Aliases: CVE-2014-1928 GHSA-2jc8-4r6g-282j PYSEC-2014-91	The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.	0.3.6-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 0.3.8-2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-swze-zwv1-aaaq Aliases: CVE-2014-1927 GHSA-r3vr-prwv-86g9 PYSEC-2014-90	The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.	0.3.6-1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1w6t-r8pu-aaas
Aliases:
CVE-2013-7323
GHSA-c2fx-8r76-gh36
PYSEC-2014-89

python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

0.3.6-1
Affected by 2 other vulnerabilities.

VCID-4u1u-zxbs-aaag
Aliases:
CVE-2018-12020

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

0.4.3-1ubuntu1
Affected by 0 other vulnerabilities.

VCID-f7z6-jm9f-aaap
Aliases:
CVE-2019-6690
GHSA-2fch-jvg5-crf6
GHSA-qh62-ch95-63wh
PYSEC-2019-115
PYSEC-2019-45

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

0.4.1-1ubuntu1.18.04.1
Affected by 1 other vulnerability.

VCID-hx2x-2bd6-aaag
Aliases:
CVE-2014-1929
GHSA-vcr5-xr9h-mvc5
PYSEC-2014-92

python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

0.3.6-1
Affected by 2 other vulnerabilities.

VCID-rv7m-a4aw-aaas
Aliases:
CVE-2014-1928
GHSA-2jc8-4r6g-282j
PYSEC-2014-91

The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

0.3.6-1
Affected by 2 other vulnerabilities.

0.3.8-2
Affected by 2 other vulnerabilities.

VCID-swze-zwv1-aaaq
Aliases:
CVE-2014-1927
GHSA-r3vr-prwv-86g9
PYSEC-2014-90

The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

0.3.6-1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Next non-vulnerable version	0.4.3-1ubuntu1
Latest non-vulnerable version	0.4.3-1ubuntu1
Risk	4.5