Cryptographic Issues The advisory has been revoked - it doesn't affect any version of package snapd  (opens in a new tab)


Threat Intelligence

Exploit Maturity
Not Defined
EPSS
2.29% (90th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cryptographic Issues vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UBUNTU2004-SNAPD-644098
  • published15 May 2019
  • disclosed22 May 2019

Introduced: 15 May 2019

CVE-2019-11841  (opens in a new tab)
CWE-310  (opens in a new tab)

Amendment

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:20.04.

NVD Description

Note: Versions mentioned in the description apply only to the upstream snapd package and not the snapd package as distributed by Ubuntu.

A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.