password-store-1.7.4-3.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11150 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z password-store-1.7.4-3.1 on GA media These are all security issues fixed in the password-store-1.7.4-3.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11150 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11150 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-12356/ SUSE CVE CVE-2018-12356 page openSUSE Tumbleweed password-store-1.7.4-3.1 password-store-dmenu-1.7.4-3.1 password-store-1.7.4-3.1 as a component of openSUSE Tumbleweed password-store-dmenu-1.7.4-3.1 as a component of openSUSE Tumbleweed An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution. CVE-2018-12356 openSUSE Tumbleweed:password-store-1.7.4-3.1 openSUSE Tumbleweed:password-store-dmenu-1.7.4-3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-12356.html CVE-2018-12356 https://bugzilla.suse.com/1097774 SUSE Bug 1097774