Описание
Security update for enigmail
This update for enigmail fixes vulnerabilities that allowed spoofing of e-mail signatures:
- CVE-2018-12019: signature spoofing via specially crafted OpenPGP user IDs (boo#1097525)
- CVE-2018-12020: signature spoofing via diagnostic output of the original file name in GnuPG verbose mode (boo#1096745) This mitigation prevents CVE-2018-12020 from being exploited even if GnuPG is not patched.
Список пакетов
SUSE Package Hub for SUSE Linux Enterprise 12
Ссылки
- E-Mail link for openSUSE-SU-2018:1708-1
- SUSE Security Ratings
Описание
The signature verification routine in Enigmail before 2.0.7 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids.
Затронутые продукты
Ссылки
- CVE-2018-12019
- SUSE Bug 1097525
Описание
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Затронутые продукты
Ссылки
- CVE-2018-12020
- SUSE Bug 1096745
- SUSE Bug 1101134