Skip to content
Snippets Groups Projects
Select Git revision
  • 2.x default
  • dev/python3
  • debian-stretch
  • 2.2.x
  • codes
  • dev/changelog-parser
  • dev/gpg21
  • wtf/setuptools-scm
  • dev/config
  • dev/jerome
  • multiple-sign
  • 2.0.x protected
  • dev/sphinx-build
  • dev/trustdb
  • 1.x protected
  • dev/python-gnupg
  • dev/lang=c-tests
  • dev/ux-fpr-display
  • bpo
  • dev/tor
  • 2.2.4
  • 46c6d93
  • 2.2.3
  • 2.2.2
  • 2.2.1
  • 2.2.0
  • 2.1.4
  • 2.1.3
  • 2.1.2
  • 2.1.1
  • 2.1.0
  • 2.0.2
  • 2.0.1
  • 2.0.0
  • 1.2
  • 1.1
  • 1.0
  • 0.9
  • 0.8
  • 0.7.1
40 results

monkeysign

  • Clone with SSH
  • Clone with HTTPS
    • Antoine Beaupré's avatar
    CVE-2018-12020: add no verbose to avoid fake signatures
    anarcat authored 
    The SigSpoof vulnerability found in GnuPG also affects Monkeysign, but
in a lesser way. We check signatures only in one place: when we import
images. This is a corner use case that is probably quite uncommon and
since it requires access to the file in itself, it's likely there are
already other ways to import arbitrary signatures into monkeysign.

Still, we play it safe and disable the "verbose" mode that can
possibly be enabled in `gnupg.conf` as recommended by the reporter,
Marcus Brinkmann.
    2c9c9ff3
    History
    Antoine Beaupré's avatar 2c9c9ff3
    History
    Name Last commit Last update