[ASA-201806-8] gnupg: content spoofing

Remi Gacogne rgacogne at archlinux.org
Thu Jun 14 08:46:32 UTC 2018 

Arch Linux Security Advisory ASA-201806-8
=========================================

Severity: High
Date    : 2018-06-11
CVE-ID  : CVE-2018-12020
Package : gnupg
Type    : content spoofing
Remote  : Yes
Link    : https://security.archlinux.org/AVG-713

Summary
=======

The package gnupg before version 2.2.8-1 is vulnerable to content
spoofing.

Resolution
==========

Upgrade to 2.2.8-1.

# pacman -Syu "gnupg>=2.2.8-1"

The problem has been fixed upstream in version 2.2.8.

Workaround
==========

None.

Description
===========

A security issue has been found in gnupg before 2.2.8, leading to the
possibility of faking verification status of signed content. The
OpenPGP protocol allows to include the file name of the original input
file into a signed or encrypted message. During decryption and
verification the GPG tool can display a notice with that file name. The
displayed file name is not sanitized and as such may include line feeds
or other control characters. This can be used inject terminal control
sequences into the out and, worse, to fake the so-called status
messages. These status messages are parsed by programs to get
information from gpg about the validity of a signature and an other
parameters. Status messages are created with the option "--status-fd N"
where N is a file descriptor. Now if N is 2 the status messages and the
regular diagnostic messages share the stderr output channel. By using a
made up file name in the message it is possible to fake status
messages. Using this technique it is for example possible to fake the
verification status of a signed mail.

Impact
======

A remote attacker might be able to fake the verification status of a
signed e-mail or file, via a crafted file name.

References
==========

https://bugs.archlinux.org/task/58931
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
https://dev.gnupg.org/T4012
https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49
https://security.archlinux.org/CVE-2018-12020

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180614/37cbe627/attachment.asc>

More information about the arch-security mailing list