{"id":"USN-3964-1","summary":"python-gnupg vulnerabilities","details":"\nMarcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain\ncommand line parameters. A remote attacker could use this to spoof the output of\nGnuPG and cause unsigned e-mail to appear signed.\n(CVE-2018-12020)\n\nIt was discovered that python-gnupg incorrectly handled the GPG passphrase. A\nremote attacker could send a specially crafted passphrase that would allow them\nto control the output of encryption and decryption operations.\n(CVE-2019-6690)\n\n","modified":"2026-04-27T15:25:40.537863Z","published":"2019-05-02T14:47:59Z","related":["UBUNTU-CVE-2018-12020","UBUNTU-CVE-2019-6690"],"upstream":["CVE-2018-12020","CVE-2019-6690","UBUNTU-CVE-2018-12020","UBUNTU-CVE-2019-6690"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3964-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-12020"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-6690"}],"affected":[{"package":{"name":"python-gnupg","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/python-gnupg@0.4.1-1ubuntu1.18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.1-1ubuntu1.18.04.1"}]}],"versions":["0.3.9-1","0.4.1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"python-gnupg","binary_version":"0.4.1-1ubuntu1.18.04.1"},{"binary_name":"python3-gnupg","binary_version":"0.4.1-1ubuntu1.18.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3964-1.json","cves_map":{"ecosystem":"Ubuntu:18.04:LTS","cves":[{"id":"CVE-2018-12020","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-6690","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.5"}