Jason A. Donenfeld reports:
Markus Brinkmann discovered that [the] parsing of gpg command line
output with regexes isn't anchored to the beginning of the line,
which means an attacker can generate a malicious key that simply has
the verification string as part of its username.
This has a number of nasty consequences:
- an attacker who manages to write into your ~/.password-store
and also inject a malicious key into your keyring can replace
your .gpg-id key and have your passwords encrypted under
additional keys;
- if you have extensions enabled (disabled by default), an
attacker who manages to write into your ~/.password-store and
also inject a malicious key into your keyring can replace your
extensions and hence execute code.