Security researcher Marcus Brinkmann has turned up another vulnerability in the GnuPG cryptographic library, this time specific to the Simple Password Store. Brinkmann explained that CVE-2018-12356 offers both access to passwords and possible remote code execution. This bug is an incomplete regex in GnuPG’s signature verification routine, meaning an attacker can spoof file signatures on configuration files and extension scripts (Brinkmann has dubbed the bug “SigSpoof 3” as the third signature spoofing bug he’s found).
ORIGINAL SOURCE: The Register
