SB2022070429 - Signature spoofing attack in GnuPG

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2022-34903)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to an error in GnuPG, which allows signature spoofing via arbitrary injection into the status line. A remote attacker who controls the secret part of any signing-capable key or subkey in the victim's keyring, can take advantage of this flaw to provide a correctly-formed signature that some software, including gpgme, will accept to have validity and signer fingerprint chosen from the attacker.

Remediation

Install update from vendor's website.

References

• https://dev.gnupg.org/T6027
• https://bugs.debian.org/1014157
• https://www.openwall.com/lists/oss-security/2022/06/30/1
• http://www.openwall.com/lists/oss-security/2022/07/02/1
• https://www.debian.org/security/2022/dsa-5174