Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2018-12020

Published: 08/06/2018 Updated: 18/04/2022
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 447
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Enterprise Linux Server Aus

Vulnerability Summary

mainproc.c in GnuPG prior to 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote malicious users to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

redhat enterprise linux server aus 7.6

redhat enterprise linux server eus 7.5

redhat enterprise linux server eus 7.6

redhat enterprise linux server tus 7.6

redhat enterprise linux desktop 6.0

redhat enterprise linux server 6.0

redhat enterprise linux workstation 6.0

redhat enterprise linux server 7.0

redhat enterprise linux desktop 7.0

redhat enterprise linux workstation 7.0

canonical ubuntu linux 18.10

canonical ubuntu linux 12.04

canonical ubuntu linux 16.04

canonical ubuntu linux 18.04

canonical ubuntu linux 17.10

canonical ubuntu linux 19.04

canonical ubuntu linux 14.04

debian debian linux 8.0

debian debian linux 9.0

gnupg gnupg

Vendor Advisories

Debian CVElist Bug Report Logs: gnupg1: CVE-2018-12020: filename sanitization problem in GnuPG
Debian Bug report logs - #901088 gnupg1: CVE-2018-12020: filename sanitization problem in GnuPG Package: src:gnupg1; Maintainer for src:gnupg1 is Debian GnuPG-Maintainers <pkg-gnupg-maint@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 8 Jun 2018 20:15:02 UTC Severity: grav ...
Red Hat: Important: gnupg2 security update
Synopsis Important: gnupg2 security update Type/Severity Security Advisory: Important Topic An update for gnupg2 is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Red Hat: Important: gnupg2 security update
Synopsis Important: gnupg2 security update Type/Severity Security Advisory: Important Topic An update for gnupg2 is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Ubuntu Security Notice: gnupg vulnerability
GnuPG could be made to incorrectly interpret the status of the cryptographic operation if it received specially crafted file ...
Ubuntu Security Notice: gnupg, gnupg2 vulnerabilities
Several security issues were fixed in GnuPG ...
Ubuntu Security Notice: gnupg2 vulnerability
GnuPG 2 could be made to present validity information incorrectly ...
Ubuntu Security Notice: python-gnupg vulnerabilities
Several security issues were fixed in python-gnupg ...
Debian Security Advisories: DSA-4222-1 gnupg2 -- security update
Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email Details can be found in the upstream advisory at listsgnupgorg/pipermail/gnupg-announce/2018q2/000425html For the oldstable distribution (jessie), ...
Debian Security Advisories: DSA-4223-1 gnupg1 -- security update
Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email Details can be found in the upstream advisory at listsgnupgorg/pipermail/gnupg-announce/2018q2/000425html For the stable distribution (stretch), th ...
Debian Security Advisories: DSA-4224-1 gnupg -- security update
Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email Details can be found in the upstream advisory at listsgnupgorg/pipermail/gnupg-announce/2018q2/000425html For the oldstable distribution (jessie), ...
Amazon Linux 2: ALAS2-2018-1045
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take ...
Amazon Linux AMI: ALAS-2018-1045
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take ...
Red Hat: CVE-2018-12020
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take ...
Arch Linux Issues:
A security issue has been found in gnupg before 228, leading to the possibility of faking verification status of signed content The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message During decryption and verification the GPG tool can display a notice with that file name The displayed ...

Mailing Lists

Full Disclosure: Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients) <!--X-Subject-Header-End--> <!--X-Head-of-Message--> Fro ...

Recent Articles

GnuPG patched to thwart 'fake filename'
The Register • Richard Chirgwin • 12 Jun 2018

Missing input sanitisation fixed after hacker spat S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats

If you're a developer relying on GnuPG, check upstream for an update that plugs an input sanitisation bug. The short version, given in CVE-2018-12020, is that mainproc.c mishandles the filename, and as a result, an attacker can spoof the output it sends to other programs. “For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes”, the Mitre advisory states. GnuPG maintainer Werner Koch explained...

Read more...

References

CWE-706https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.htmlhttps://dev.gnupg.org/T4012http://openwall.com/lists/oss-security/2018/06/08/2https://www.debian.org/security/2018/dsa-4224https://www.debian.org/security/2018/dsa-4223https://www.debian.org/security/2018/dsa-4222http://www.securitytracker.com/id/1041051https://usn.ubuntu.com/3675-1/http://www.securityfocus.com/bid/104450https://usn.ubuntu.com/3675-2/https://usn.ubuntu.com/3675-3/https://access.redhat.com/errata/RHSA-2018:2181https://access.redhat.com/errata/RHSA-2018:2180https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0http://www.openwall.com/lists/oss-security/2019/04/30/4http://seclists.org/fulldisclosure/2019/Apr/38http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlhttps://usn.ubuntu.com/3964-1/https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfhttps://github.com/RUB-NDS/Johnny-You-Are-Firedhttps://lists.debian.org/debian-lts-announce/2021/12/msg00027.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901088https://nvd.nist.govhttps://usn.ubuntu.com/3675-3/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionfirmwareCVE-2006-4304CVE-2024-32878CVE-2024-31502XSSCVE-2024-3059CVE-2024-33692CVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook