CVE-2019-11627
📋 TL;DR
CVE-2019-11627 is a shell injection vulnerability in gpg-key2ps utility of signing-party package. Attackers can execute arbitrary commands by crafting malicious User IDs. Users of signing-party 1.1.x and 2.x before 2.10-1 are affected.
💻 Affected Systems
- signing-party
📦 What is this software?
Leap by Opensuse
Leap by Opensuse
Signing Party by Signing Party Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing complete control over the affected system, data theft, and lateral movement.
Likely Case
Arbitrary command execution with the privileges of the user running gpg-key2ps, potentially leading to privilege escalation.
If Mitigated
Limited impact if proper input validation and least privilege principles are followed, though shell injection remains dangerous.
🎯 Exploit Status
Exploitation is straightforward via crafted User ID input; proof-of-concept details are publicly available in bug reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10-1 and later
Vendor Advisory: https://bugs.debian.org/928256
Restart Required: No
Instructions:
1. Update signing-party package using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install signing-party. 3. For openSUSE: sudo zypper update signing-party.
🔧 Temporary Workarounds
Disable or remove gpg-key2ps
linuxRemove or restrict execution of the vulnerable gpg-key2ps script if not needed.
sudo rm /usr/bin/gpg-key2ps
sudo chmod 000 /usr/bin/gpg-key2ps
Input sanitization wrapper
linuxCreate a wrapper script to sanitize User ID input before passing to gpg-key2ps.
#!/bin/bash
# Sanitize input to prevent shell injection
safe_input=$(printf '%q' "$1")
/usr/bin/gpg-key2ps "$safe_input"
🧯 If You Can't Patch
- Restrict access to gpg-key2ps to trusted users only using file permissions or SELinux/AppArmor.
- Monitor and audit usage of gpg-key2ps for suspicious command executions or unusual User IDs.
🔍 How to Verify
Check if Vulnerable:
Check signing-party version: dpkg -l signing-party | grep ^ii or rpm -q signing-party. If version is earlier than 2.10-1, it's vulnerable.Check Version:
dpkg -l signing-party 2>/dev/null | grep ^ii || rpm -q signing-party 2>/dev/null || echo 'Package not found'Verify Fix Applied:
Confirm version is 2.10-1 or later: dpkg -l signing-party | grep 2.10-1 or rpm -q signing-party | grep 2.10-1.📡 Detection & Monitoring
Log Indicators:
- Unusual command executions from gpg-key2ps process
- Shell errors or unexpected output in system logs
Network Indicators:
- Outbound connections from gpg-key2ps process if exploited for remote access
SIEM Query:
process.name:"gpg-key2ps" AND (command_line:*"*"* OR command_line:*"$"* OR command_line:*"`"*)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00029.html
- https://bugs.debian.org/928256
- https://lists.debian.org/debian-lts-announce/2019/05/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00029.html
- https://bugs.debian.org/928256
- https://lists.debian.org/debian-lts-announce/2019/05/msg00001.html
