mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-2862-1 python-gnupg security update
Debian DSA Debian DSA DSA-4222-1 gnupg2 security update
Debian DSA Debian DSA DSA-4223-1 gnupg1 security update
Debian DSA Debian DSA DSA-4224-1 gnupg security update
EUVD EUVD EUVD-2018-4011 mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Ubuntu USN Ubuntu USN USN-3675-1 GnuPG vulnerabilities
Ubuntu USN Ubuntu USN USN-3675-2 GnuPG 2 vulnerability
Ubuntu USN Ubuntu USN USN-3675-3 GnuPG vulnerability
Ubuntu USN Ubuntu USN USN-3964-1 python-gnupg vulnerabilities
Ubuntu USN Ubuntu USN USN-4839-1 python-gnupg vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T08:24:03.773Z

Reserved: 2018-06-07T00:00:00

Link: CVE-2018-12020

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-06-08T21:29:00.237

Modified: 2024-11-21T03:44:25.510

Link: CVE-2018-12020

cve-icon Redhat

Severity : Important

Publid Date: 2018-06-08T00:00:00Z

Links: CVE-2018-12020 - Bugzilla

cve-icon OpenCVE Enrichment

No data.