Описание
Security update for gpg2
This update for gpg2 fixes the following security issue:
- CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745)
Список пакетов
SUSE Enterprise Storage 4
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Desktop 12 SP3
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Server 12 SP1-LTSS
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Server 12 SP2-LTSS
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Server 12 SP3
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Server 12-LTSS
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP3
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
SUSE OpenStack Cloud 7
gpg2-2.0.24-9.3.1
gpg2-lang-2.0.24-9.3.1
Ссылки
- Link for SUSE-SU-2018:1698-1
- E-Mail link for SUSE-SU-2018:1698-1
- SUSE Security Ratings
- SUSE Bug 1096745
- SUSE CVE CVE-2018-12020 page
Описание
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Затронутые продукты
SUSE Enterprise Storage 4:gpg2-2.0.24-9.3.1
SUSE Enterprise Storage 4:gpg2-lang-2.0.24-9.3.1
SUSE Linux Enterprise Desktop 12 SP3:gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Desktop 12 SP3:gpg2-lang-2.0.24-9.3.1
Ссылки
- CVE-2018-12020
- SUSE Bug 1096745
- SUSE Bug 1101134