Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix verification of package integrity via GnuPG (CVE-2018-12556) #7226

Closed
bernhardreiter opened this issue Apr 25, 2019 · 1 comment
Closed

Fix verification of package integrity via GnuPG (CVE-2018-12556) #7226

bernhardreiter opened this issue Apr 25, 2019 · 1 comment

Comments

@bernhardreiter
Copy link

This is a security related defect, described in detail at https://neopg.io/blog/yarn-signature-bypass/ and got CVE-2018-12556 assigned.

The current code still looks unchanged and it is assumed it still has this problem
https://github.com/yarnpkg/website/blob/3dd78bf17ae02ec2f03b899240869f943c30a0e5/install.sh#L49

In brief: It accepts signatures from all public keys in the default keyring that the user running the script is using. It would be better to make sure that only a signature by yarn's public key is accepted.
@bernhardreiter
Copy link
Author

There is a report for the website repo already at yarnpkg/website#937
(which I hadn't noticed before).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bernhardreiter