Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2018-12020

Опубликовано: 08 июн. 2018
Источник: debian
EPSS Низкий

Описание

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
enigmailfixed2:2.0.7-1package
enigmailend-of-lifejessiepackage
gnupg2fixed2.2.8-1package
gnupg1fixed1.4.22-5package
gnupgremovedpackage

Примечания

  • https://dev.gnupg.org/T4012

  • https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

  • https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49 (STABLE-BRANCH-2-2)

  • https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac (STABLE-BRANCH-1-4)

  • https://www.openwall.com/lists/oss-security/2018/06/13/10

  • https://neopg.io/blog/gpg-signature-spoof/

EPSS

Процентиль: 86%
0.02796
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2018-12020

CVSS3: 7.5
ubuntu
больше 7 лет назад

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

redhat логотип

CVE-2018-12020

CVSS3: 7.5
redhat
больше 7 лет назад

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

nvd логотип

CVE-2018-12020

CVSS3: 7.5
nvd
больше 7 лет назад

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

suse-cvrf логотип

openSUSE-SU-2018:1724-1

suse-cvrf
больше 7 лет назад

Security update for gpg2

suse-cvrf логотип

openSUSE-SU-2018:1722-1

suse-cvrf
больше 7 лет назад

Security update for python-python-gnupg

EPSS

Процентиль: 86%
0.02796
Низкий