Описание
Security update for gpg2
This update for gpg2 fixes the following issues:
- CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745)
Список пакетов
SUSE Linux Enterprise Point of Sale 11 SP3
gpg2-2.0.9-25.33.42.3.1
gpg2-lang-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Server 11 SP3-LTSS
gpg2-2.0.9-25.33.42.3.1
gpg2-lang-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Server 11 SP3-TERADATA
gpg2-2.0.9-25.33.42.3.1
gpg2-lang-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Server 11 SP4
gpg2-2.0.9-25.33.42.3.1
gpg2-lang-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Server for SAP Applications 11 SP4
gpg2-2.0.9-25.33.42.3.1
gpg2-lang-2.0.9-25.33.42.3.1
Ссылки
- Link for SUSE-SU-2018:1696-1
- E-Mail link for SUSE-SU-2018:1696-1
- SUSE Security Ratings
- SUSE Bug 1096745
- SUSE CVE CVE-2018-12020 page
Описание
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Затронутые продукты
SUSE Linux Enterprise Point of Sale 11 SP3:gpg2-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Point of Sale 11 SP3:gpg2-lang-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Server 11 SP3-LTSS:gpg2-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Server 11 SP3-LTSS:gpg2-lang-2.0.9-25.33.42.3.1
Ссылки
- CVE-2018-12020
- SUSE Bug 1096745
- SUSE Bug 1101134