[ASA-201806-8] gnupg: content spoofing
rgacogne at archlinux.org
Thu Jun 14 08:46:32 UTC 2018
Arch Linux Security Advisory ASA-201806-8
Date : 2018-06-11
CVE-ID : CVE-2018-12020
Package : gnupg
Type : content spoofing
Remote : Yes
Link : https://security.archlinux.org/AVG-713
The package gnupg before version 2.2.8-1 is vulnerable to content
Upgrade to 2.2.8-1.
# pacman -Syu "gnupg>=2.2.8-1"
The problem has been fixed upstream in version 2.2.8.
A security issue has been found in gnupg before 2.2.8, leading to the
possibility of faking verification status of signed content. The
OpenPGP protocol allows to include the file name of the original input
file into a signed or encrypted message. During decryption and
verification the GPG tool can display a notice with that file name. The
displayed file name is not sanitized and as such may include line feeds
or other control characters. This can be used inject terminal control
sequences into the out and, worse, to fake the so-called status
messages. These status messages are parsed by programs to get
information from gpg about the validity of a signature and an other
parameters. Status messages are created with the option "--status-fd N"
where N is a file descriptor. Now if N is 2 the status messages and the
regular diagnostic messages share the stderr output channel. By using a
made up file name in the message it is possible to fake status
messages. Using this technique it is for example possible to fake the
verification status of a signed mail.
A remote attacker might be able to fake the verification status of a
signed e-mail or file, via a crafted file name.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security