python-gnupg@0.4.0 vulnerabilities

A wrapper for the Gnu Privacy Guard (GPG or GnuPG)

latest version

0.5.2.dev0
latest non vulnerable version

0.5.2.dev0
first published

11 years ago
latest version published

5 months ago
licenses detected
- BSD-2-Clause
  [0,)
View python-gnupg package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the python-gnupg package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Improper Input Validation python-gnupg is a command-line program which provides support for programmatic access via spawning a separate process to run it and then communicating with that process from your program. Affected versions of this package are vulnerable to Improper Input Validation. An attacker can inject data through the passphrase property of the `gnupg.GPG.encrypt()` and `gnupg.GPG.decrypt()` methods when symmetric encryption is used. The supplied passphrase is not validated for newlines, and the library passes `--passphrase-fd=0` to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines. By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted. How to fix Improper Input Validation? Upgrade `python-gnupg` to version 0.4.4 or higher.	[,0.4.4)

Improper Input Validation

python-gnupg is a command-line program which provides support for programmatic access via spawning a separate process to run it and then communicating with that process from your program.

Affected versions of this package are vulnerable to Improper Input Validation. An attacker can inject data through the passphrase property of the gnupg.GPG.encrypt() and gnupg.GPG.decrypt() methods when symmetric encryption is used.

The supplied passphrase is not validated for newlines, and the library passes --passphrase-fd=0 to the gpg executable, which expects the passphrase on the first line of stdin, and the ciphertext to be decrypted or plaintext to be encrypted on subsequent lines.

By supplying a passphrase containing a newline an attacker can control/modify the ciphertext/plaintext being decrypted/encrypted.

How to fix Improper Input Validation?

Upgrade python-gnupg to version 0.4.4 or higher.

[,0.4.4)

Go back to all versions of this package

python-gnupg@0.4.0 vulnerabilities

A wrapper for the Gnu Privacy Guard (GPG or GnuPG)

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities