Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-12020

Опубликовано: 08 июн. 2018
Источник: debian

Описание

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
enigmailfixed2:2.0.7-1package
enigmailend-of-lifejessiepackage
gnupg2fixed2.2.8-1package
gnupg1fixed1.4.22-5package
gnupgremovedpackage

Примечания

  • https://dev.gnupg.org/T4012

  • https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

  • https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49 (STABLE-BRANCH-2-2)

  • https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac (STABLE-BRANCH-1-4)

  • https://www.openwall.com/lists/oss-security/2018/06/13/10

  • https://neopg.io/blog/gpg-signature-spoof/

Связанные уязвимости

ubuntu логотип

CVE-2018-12020

CVSS3: 7.5
ubuntu
больше 7 лет назад

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

redhat логотип

CVE-2018-12020

CVSS3: 7.5
redhat
больше 7 лет назад

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

nvd логотип

CVE-2018-12020

CVSS3: 7.5
nvd
больше 7 лет назад

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

suse-cvrf логотип

openSUSE-SU-2018:1724-1

suse-cvrf
больше 7 лет назад

Security update for gpg2

suse-cvrf логотип

openSUSE-SU-2018:1722-1

suse-cvrf
больше 7 лет назад

Security update for python-python-gnupg