Debian Bug report logs -
#901088
gnupg1: CVE-2018-12020: filename sanitization problem in GnuPG
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 8 Jun 2018 20:15:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version gnupg1/1.4.21-4
Fixed in versions gnupg1/1.4.22-5, gnupg1/1.4.21-4+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://dev.gnupg.org/T4012
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#901088; Package src:gnupg1.
(Fri, 08 Jun 2018 20:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>.
(Fri, 08 Jun 2018 20:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gnupg1
Version: 1.4.21-4
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://dev.gnupg.org/T4012
Hi,
The following vulnerability was published for gnupg1. I'm aware this
is only the legacy packages, the issue though is present there and not
having the fix in buster will later on represent a regression from
updates from stretch. Thus the RC severity as well as reasoning.
CVE-2018-12020[0]:
filename sanitization problem in GnuPG
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12020
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
[1] https://dev.gnupg.org/T4012
Regards,
Salvatore
Reply sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility.
(Fri, 08 Jun 2018 21:00:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Jun 2018 21:00:04 GMT) (full text, mbox, link).
Message #10 received at 901088-close@bugs.debian.org (full text, mbox, reply):
Source: gnupg1
Source-Version: 1.4.22-5
We believe that the bug you reported is fixed in the latest version of
gnupg1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901088@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated gnupg1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Jun 2018 16:24:29 -0400
Source: gnupg1
Binary: gnupg1 gpgv1 gnupg1-l10n
Architecture: source
Version: 1.4.22-5
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
gnupg1 - GNU privacy guard - a PGP implementation (deprecated "classic" ve
gnupg1-l10n - GNU privacy guard "classic" - localization files (deprecated)
gpgv1 - GNU privacy guard - signature verification tool (deprecated "clas
Closes: 901088
Changes:
gnupg1 (1.4.22-5) unstable; urgency=medium
.
* use DEP-14 branch naming
* d/control: add Rules-Requires-Root: no
* Standards-Version: bump to 4.1.4 (no changes needed)
* cherry-pick patches from upstream (Closes: #901088)
fixing CVE-2018-12020
Checksums-Sha1:
64ba96ca35fad662192373769751d68b3bf987d8 1632 gnupg1_1.4.22-5.dsc
cff95e95788306897e59040221ea3b4d0571410b 37596 gnupg1_1.4.22-5.debian.tar.xz
107617efc26a52930d9ea5338bfec8ea605ed437 7626 gnupg1_1.4.22-5_amd64.buildinfo
Checksums-Sha256:
6421f0c698de64a61026614bdf44ebb10ded9e49a2da807a65a4341dab370b50 1632 gnupg1_1.4.22-5.dsc
7f0991de4279cea10ae8ce5cbf73f1851fc4c9d4036939d5f98e248f538e617a 37596 gnupg1_1.4.22-5.debian.tar.xz
a5aacba0e2bc2bd5129bb984901543c66286ab8e4e20ae1c7d67b17460111b41 7626 gnupg1_1.4.22-5_amd64.buildinfo
Files:
ac8dcd5ad587bfb465b0b75e09c076fd 1632 utils optional gnupg1_1.4.22-5.dsc
428166fda38cffa2480b252422721abf 37596 utils optional gnupg1_1.4.22-5.debian.tar.xz
1d4b775626c6a0d03fda22d366484080 7626 utils optional gnupg1_1.4.22-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCWxrrmAAKCRBsHx7ezFD6
U5rIAP4nTgulMyt1T/aUW7QYHOIBPa6hX55ALB6BAGu5IGZAswEAxaKuVyn7kNB1
dgl2sHQNy+wDkFac705WV428wBnQ4ww=
=WZaP
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 12 Jun 2018 22:06:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Jun 2018 22:06:24 GMT) (full text, mbox, link).
Message #15 received at 901088-close@bugs.debian.org (full text, mbox, reply):
Source: gnupg1
Source-Version: 1.4.21-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
gnupg1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901088@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gnupg1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Jun 2018 22:19:01 +0200
Source: gnupg1
Binary: gnupg1 gnupg1-curl gpgv1 gpgv1.4-udeb gnupg1-l10n
Architecture: source
Version: 1.4.21-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 901088
Description:
gnupg1 - GNU privacy guard - a PGP implementation (deprecated "classic" ve
gnupg1-curl - GNU privacy guard (cURL helpers for deprecated "classic" version)
gnupg1-l10n - GNU privacy guard "classic" - localization files (deprecated)
gpgv1 - GNU privacy guard - signature verification tool (deprecated "clas
gpgv1.4-udeb - minimal signature verification tool (deprecated "classic" version (udeb)
Changes:
gnupg1 (1.4.21-4+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* gpg: Sanitize diagnostic with the original file name (CVE-2018-12020)
(Closes: #901088)
Checksums-Sha1:
ca693ea397d2efe3cf63e97d89bed483fdd27953 2503 gnupg1_1.4.21-4+deb9u1.dsc
e3bdb585026f752ae91360f45c28e76e4a15d338 3689305 gnupg1_1.4.21.orig.tar.bz2
7b58d94b49c821fbc8498b9ddda42aa0900e30ef 35592 gnupg1_1.4.21-4+deb9u1.debian.tar.xz
Checksums-Sha256:
2afaa8fd8edf1def53d08f4b8d22eb8f466932bf40abf774f55ac26a28ae2735 2503 gnupg1_1.4.21-4+deb9u1.dsc
6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 3689305 gnupg1_1.4.21.orig.tar.bz2
40da2728c370b52e86508e2f52d8f551c57871cb3860129497896b9d9a2b2e71 35592 gnupg1_1.4.21-4+deb9u1.debian.tar.xz
Files:
e04161b2064f5141f82f21e7a0c0bef2 2503 utils extra gnupg1_1.4.21-4+deb9u1.dsc
9bdeabf3c0f87ff21cb3f9216efdd01d 3689305 utils extra gnupg1_1.4.21.orig.tar.bz2
2cc611eb3f471d6a0e36bc109e30983f 35592 utils extra gnupg1_1.4.21-4+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa581fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EV+YP/jW2ALE1mJVubwbSLB6OuQHUJlENSfbA
qxekQaCV4c3ZCqW4WhcSiI6GpjxITJUo9ANqvgjJCMrYjg9lpP7N/KAc/WH12Pag
xt/Z1O83m8VaDuHcqwlsJesiAqEGtpMW0aNZiVaj9t+ESY4rgxGEEsxDHFHudR+4
nkdOwJrD5eAvgKAO/pSWNJ1YYDlu59NcBI9PDytUa/TZek1mtirhCcOlurOaQdlL
ujMNZDZEMH3xrqdvtARVXV0GSONmZvtW8zmbFT3yBUr716YgeVe035yYDa4ohZ+S
eeB+qRh4yHjK2U1XvR6DOEagMtTN13ndgGfNTFKHyno5LTWjAKlJUhVb/BwZCMv/
qgUQMtMCNfvtytZOhNosGlKXStGfM1fjOy42XEY7F6PiW3cv+ySDYwafU2C15Z+j
98wopkM1kXCy5a2/VE/t859v4AkABSyGdmkB8QEL+27KETlfHIRnNLkEP5atw6s9
A7llcH/GsIDPxVcrjiXvzSGu70TgPjBRBFOdf39yJJEdqBEmExxMajKeKZ0xephT
0rB1XSg4A86P1YA3vfEeaR7DGk8v3yBM9WU6MpxJ+awLFdIfHX4OQs5XL+ZWVt6K
FeaF7mKEwF8cS6EfNFf7z4iteg8+4Hzwe02KlO51fKlN6WpNhickvp07OdNIEWvH
Z0dXgxo4kIFt
=CXmk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 18 Jul 2018 07:32:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:03:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon