From 2c9c9ff3a588bf5db4a9dc15078f13c6d264f16b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 18 Jun 2018 10:28:41 -0400
Subject: [PATCH] CVE-2018-12020: add no verbose to avoid fake signatures

The SigSpoof vulnerability found in GnuPG also affects Monkeysign, but
in a lesser way. We check signatures only in one place: when we import
images. This is a corner use case that is probably quite uncommon and
since it requires access to the file in itself, it's likely there are
already other ways to import arbitrary signatures into monkeysign.

Still, we play it safe and disable the "verbose" mode that can
possibly be enabled in `gnupg.conf` as recommended by the reporter,
Marcus Brinkmann.
---
 monkeysign/gpg.py            | 1 +
 monkeysign/tests/test_gpg.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/monkeysign/gpg.py b/monkeysign/gpg.py
index b653f73..36487d0 100644
--- a/monkeysign/gpg.py
+++ b/monkeysign/gpg.py
@@ -105,6 +105,7 @@ class Context():
                 'with-colons': None,
                 'with-fingerprint': None,
                 'fixed-list-mode': None,
+                'no-verbose': None,
                 'list-options': 'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
                 }
 
diff --git a/monkeysign/tests/test_gpg.py b/monkeysign/tests/test_gpg.py
index 9c36528..5f92c8d 100755
--- a/monkeysign/tests/test_gpg.py
+++ b/monkeysign/tests/test_gpg.py
@@ -45,7 +45,7 @@ class TestContext(unittest.TestCase):
     options = Context.options
 
     # ... and this is the rendered version of the above
-    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', '--list-options', 'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire', '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', '--status-fd', '2', '--quiet' ]
+    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', '--list-options', 'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire', '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', '--status-fd', '2', '--quiet', '--no-verbose' ]
 
     def setUp(self):
         self.gpg = Context()
-- 
GitLab