Back to search
CVE-2018-12020
Published: Jun 8, 2018
Modified: Aug 5, 2024
PUBLISHED
Description
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
USN-3675-2
vendor-advisory
x_refsource_UBUNTU
RHSA-2018:2180
vendor-advisory
x_refsource_REDHAT
http://openwall.com/lists/oss-security/2018/06/08/2
x_refsource_MISC
DSA-4222
vendor-advisory
x_refsource_DEBIAN
RHSA-2018:2181
vendor-advisory
x_refsource_REDHAT
DSA-4224
vendor-advisory
x_refsource_DEBIAN
104450
vdb-entry
x_refsource_BID
DSA-4223
vendor-advisory
x_refsource_DEBIAN
USN-3675-3
vendor-advisory
x_refsource_UBUNTU
1041051
vdb-entry
x_refsource_SECTRACK
USN-3675-1
vendor-advisory
x_refsource_UBUNTU
https://dev.gnupg.org/T4012
x_refsource_MISC
[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)
mailing-list
x_refsource_MLIST
20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients
mailing-list
x_refsource_FULLDISC
USN-3964-1
vendor-advisory
x_refsource_UBUNTU
https://github.com/RUB-NDS/Johnny-You-Are-Fired
x_refsource_MISC
[debian-lts-announce] 20211228 [SECURITY] [DLA 2862-1] python-gnupg security update
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now