ID CVE-2018-12020
Summary mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
References
Vulnerable Configurations
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • cpe:2.3:o:canonical:ubuntu:17.10
    cpe:2.3:o:canonical:ubuntu:17.10
  • Canonical Ubuntu Linux 12.04 ESM (Extended Security Maintenance)
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:esm
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • GnuPG (Privacy Guard) 0.0.0 (initial release)
    cpe:2.3:a:gnupg:gnupg:0.0.0
  • GnuPG (Privacy Guard) 0.2.15
    cpe:2.3:a:gnupg:gnupg:0.2.15
  • GnuPG (Privacy Guard) 0.2.16
    cpe:2.3:a:gnupg:gnupg:0.2.16
  • GnuPG (Privacy Guard) 0.2.17
    cpe:2.3:a:gnupg:gnupg:0.2.17
  • GnuPG (Privacy Guard) 0.2.18
    cpe:2.3:a:gnupg:gnupg:0.2.18
  • GnuPG (Privacy Guard) 0.2.19
    cpe:2.3:a:gnupg:gnupg:0.2.19
  • GnuPG (Privacy Guard) 0.3.0
    cpe:2.3:a:gnupg:gnupg:0.3.0
  • GnuPG (Privacy Guard) 0.3.1
    cpe:2.3:a:gnupg:gnupg:0.3.1
  • GnuPG (Privacy Guard) 0.3.2
    cpe:2.3:a:gnupg:gnupg:0.3.2
  • GnuPG (Privacy Guard) 0.3.3
    cpe:2.3:a:gnupg:gnupg:0.3.3
  • GnuPG (Privacy Guard) 0.3.4
    cpe:2.3:a:gnupg:gnupg:0.3.4
  • GnuPG (Privacy Guard) 0.3.5
    cpe:2.3:a:gnupg:gnupg:0.3.5
  • GnuPG (Privacy Guard) 0.4.0
    cpe:2.3:a:gnupg:gnupg:0.4.0
  • GnuPG (Privacy Guard) 0.4.1
    cpe:2.3:a:gnupg:gnupg:0.4.1
  • GnuPG (Privacy Guard) 0.4.3
    cpe:2.3:a:gnupg:gnupg:0.4.3
  • GnuPG (Privacy Guard) 0.4.4
    cpe:2.3:a:gnupg:gnupg:0.4.4
  • GnuPG (Privacy Guard) 0.4.5
    cpe:2.3:a:gnupg:gnupg:0.4.5
  • GnuPG (Privacy Guard) 0.9.0
    cpe:2.3:a:gnupg:gnupg:0.9.0
  • GnuPG (Privacy Guard) 0.9.1
    cpe:2.3:a:gnupg:gnupg:0.9.1
  • GnuPG (Privacy Guard) 0.9.2
    cpe:2.3:a:gnupg:gnupg:0.9.2
  • GnuPG (Privacy Guard) 0.9.3
    cpe:2.3:a:gnupg:gnupg:0.9.3
  • GnuPG (Privacy Guard) 0.9.4
    cpe:2.3:a:gnupg:gnupg:0.9.4
  • GnuPG (Privacy Guard) 0.9.5
    cpe:2.3:a:gnupg:gnupg:0.9.5
  • GnuPG (Privacy Guard) 0.9.6
    cpe:2.3:a:gnupg:gnupg:0.9.6
  • GnuPG (Privacy Guard) 0.9.7
    cpe:2.3:a:gnupg:gnupg:0.9.7
  • GnuPG (Privacy Guard) 0.9.8
    cpe:2.3:a:gnupg:gnupg:0.9.8
  • GnuPG (Privacy Guard) 0.9.9
    cpe:2.3:a:gnupg:gnupg:0.9.9
  • GnuPG (Privacy Guard) 0.9.10
    cpe:2.3:a:gnupg:gnupg:0.9.10
  • GnuPG (Privacy Guard) 0.9.11
    cpe:2.3:a:gnupg:gnupg:0.9.11
  • GnuPG (Privacy Guard) 1.0.0
    cpe:2.3:a:gnupg:gnupg:1.0.0
  • GnuPG (Privacy Guard) 1.0.1
    cpe:2.3:a:gnupg:gnupg:1.0.1
  • GnuPG (Privacy Guard) 1.0.2
    cpe:2.3:a:gnupg:gnupg:1.0.2
  • GnuPG (Privacy Guard) 1.0.3
    cpe:2.3:a:gnupg:gnupg:1.0.3
  • GnuPG (Privacy Guard) 1.0.4
    cpe:2.3:a:gnupg:gnupg:1.0.4
  • GnuPG (Privacy Guard) 1.0.4:-:win32
    cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32
  • GnuPG (Privacy Guard) 1.0.5
    cpe:2.3:a:gnupg:gnupg:1.0.5
  • GnuPG (Privacy Guard) 1.0.5:-:win32
    cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32
  • GnuPG (Privacy Guard) 1.0.6
    cpe:2.3:a:gnupg:gnupg:1.0.6
  • GnuPG (Privacy Guard) 1.0.7
    cpe:2.3:a:gnupg:gnupg:1.0.7
  • GnuPG (Privacy Guard) 1.2.0
    cpe:2.3:a:gnupg:gnupg:1.2.0
  • GnuPG (Privacy Guard) 1.2.1
    cpe:2.3:a:gnupg:gnupg:1.2.1
  • GnuPG (Privacy Guard) 1.2.1:windows
    cpe:2.3:a:gnupg:gnupg:1.2.1:windows
  • GnuPG (Privacy Guard) 1.2.2
    cpe:2.3:a:gnupg:gnupg:1.2.2
  • GnuPG (Privacy Guard) 1.2.3
    cpe:2.3:a:gnupg:gnupg:1.2.3
  • GnuPG (Privacy Guard) 1.2.4
    cpe:2.3:a:gnupg:gnupg:1.2.4
  • GnuPG (Privacy Guard) 1.2.5
    cpe:2.3:a:gnupg:gnupg:1.2.5
  • GnuPG (Privacy Guard) 1.2.6
    cpe:2.3:a:gnupg:gnupg:1.2.6
  • GnuPG (Privacy Guard) 1.2.7
    cpe:2.3:a:gnupg:gnupg:1.2.7
  • GnuPG (Privacy Guard) 1.3.0
    cpe:2.3:a:gnupg:gnupg:1.3.0
  • GnuPG (Privacy Guard) 1.3.1
    cpe:2.3:a:gnupg:gnupg:1.3.1
  • GnuPG (Privacy Guard) 1.3.2
    cpe:2.3:a:gnupg:gnupg:1.3.2
  • GnuPG (Privacy Guard) 1.3.3
    cpe:2.3:a:gnupg:gnupg:1.3.3
  • GnuPG (Privacy Guard) 1.3.4
    cpe:2.3:a:gnupg:gnupg:1.3.4
  • GnuPG (Privacy Guard) 1.3.6
    cpe:2.3:a:gnupg:gnupg:1.3.6
  • GnuPG (Privacy Guard) 1.3.90
    cpe:2.3:a:gnupg:gnupg:1.3.90
  • GnuPG (Privacy Guard) 1.3.91
    cpe:2.3:a:gnupg:gnupg:1.3.91
  • GnuPG (Privacy Guard) 1.3.92
    cpe:2.3:a:gnupg:gnupg:1.3.92
  • GnuPG (Privacy Guard) 1.3.93
    cpe:2.3:a:gnupg:gnupg:1.3.93
  • GnuPG (Privacy Guard) 1.4.0
    cpe:2.3:a:gnupg:gnupg:1.4.0
  • GnuPG (Privacy Guard) 1.4.2
    cpe:2.3:a:gnupg:gnupg:1.4.2
  • GnuPG (Privacy Guard) 1.4.3
    cpe:2.3:a:gnupg:gnupg:1.4.3
  • GnuPG (Privacy Guard) 1.4.4
    cpe:2.3:a:gnupg:gnupg:1.4.4
  • GnuPG (Privacy Guard) 1.4.5
    cpe:2.3:a:gnupg:gnupg:1.4.5
  • GnuPG (Privacy Guard) 1.4.8
    cpe:2.3:a:gnupg:gnupg:1.4.8
  • GnuPG (Privacy Guard) 1.4.10
    cpe:2.3:a:gnupg:gnupg:1.4.10
  • GnuPG (Privacy Guard) 1.4.11
    cpe:2.3:a:gnupg:gnupg:1.4.11
  • GnuPG (Privacy Guard) 1.4.12
    cpe:2.3:a:gnupg:gnupg:1.4.12
  • GnuPG (Privacy Guard) 1.4.13
    cpe:2.3:a:gnupg:gnupg:1.4.13
  • GnuPG (Privacy Guard) 1.4.14
    cpe:2.3:a:gnupg:gnupg:1.4.14
  • GnuPG (Privacy Guard) 1.4.15
    cpe:2.3:a:gnupg:gnupg:1.4.15
  • GnuPG (Privacy Guard) 1.4.16
    cpe:2.3:a:gnupg:gnupg:1.4.16
  • GnuPG (Privacy Guard) 1.4.17
    cpe:2.3:a:gnupg:gnupg:1.4.17
  • GnuPG (Privacy Guard) 1.9.16
    cpe:2.3:a:gnupg:gnupg:1.9.16
  • GnuPG (Privacy Guard) 1.9.17
    cpe:2.3:a:gnupg:gnupg:1.9.17
  • GnuPG (Privacy Guard) 1.9.19
    cpe:2.3:a:gnupg:gnupg:1.9.19
  • GnuPG (Privacy Guard) 1.9.20
    cpe:2.3:a:gnupg:gnupg:1.9.20
  • GnuPG (Privacy Guard) 1.9.92
    cpe:2.3:a:gnupg:gnupg:1.9.92
  • GnuPG (Privacy Guard) 2.0
    cpe:2.3:a:gnupg:gnupg:2.0
  • GnuPG (Privacy Guard) 2.0.1
    cpe:2.3:a:gnupg:gnupg:2.0.1
  • GnuPG (Privacy Guard) 2.0.3
    cpe:2.3:a:gnupg:gnupg:2.0.3
  • GnuPG (Privacy Guard) 2.0.4
    cpe:2.3:a:gnupg:gnupg:2.0.4
  • GnuPG (Privacy Guard) 2.0.5
    cpe:2.3:a:gnupg:gnupg:2.0.5
  • GnuPG (Privacy Guard) 2.0.6
    cpe:2.3:a:gnupg:gnupg:2.0.6
  • GnuPG (Privacy Guard) 2.0.7
    cpe:2.3:a:gnupg:gnupg:2.0.7
  • GnuPG (Privacy Guard) 2.0.8
    cpe:2.3:a:gnupg:gnupg:2.0.8
  • GnuPG (Privacy Guard) 2.0.10
    cpe:2.3:a:gnupg:gnupg:2.0.10
  • GnuPG (Privacy Guard) 2.0.11
    cpe:2.3:a:gnupg:gnupg:2.0.11
  • GnuPG (Privacy Guard) 2.0.12
    cpe:2.3:a:gnupg:gnupg:2.0.12
  • GnuPG (Privacy Guard) 2.0.13
    cpe:2.3:a:gnupg:gnupg:2.0.13
  • GnuPG (Privacy Guard) 2.0.14
    cpe:2.3:a:gnupg:gnupg:2.0.14
  • GnuPG (Privacy Guard) 2.0.15
    cpe:2.3:a:gnupg:gnupg:2.0.15
  • GnuPG (Privacy Guard) 2.0.16
    cpe:2.3:a:gnupg:gnupg:2.0.16
  • GnuPG (Privacy Guard) 2.0.17
    cpe:2.3:a:gnupg:gnupg:2.0.17
  • GnuPG (Privacy Guard) 2.0.18
    cpe:2.3:a:gnupg:gnupg:2.0.18
  • GnuPG (Privacy Guard) 2.0.19
    cpe:2.3:a:gnupg:gnupg:2.0.19
  • GnuPG (Privacy Guard) 2.0.20
    cpe:2.3:a:gnupg:gnupg:2.0.20
  • GnuPG (Privacy Guard) 2.0.21
    cpe:2.3:a:gnupg:gnupg:2.0.21
  • GnuPG (Privacy Guard) 2.0.22
    cpe:2.3:a:gnupg:gnupg:2.0.22
  • GnuPG (Privacy Guard) 2.0.23
    cpe:2.3:a:gnupg:gnupg:2.0.23
  • GnuPG (Privacy Guard) 2.0.24
    cpe:2.3:a:gnupg:gnupg:2.0.24
  • GnuPG (Privacy Guard) 2.1.0 beta1
    cpe:2.3:a:gnupg:gnupg:2.1.0:beta1
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4222.NASL
    description Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 110421
    published 2018-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110421
    title Debian DSA-4222-1 : gnupg2 - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1696-1.NASL
    description This update for gpg2 fixes the following issues : - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110594
    published 2018-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110594
    title SUSE SLES11 Security Update : gpg2 (SUSE-SU-2018:1696-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-69780FC4D7.NASL
    description - New upstream v1.4.23 (#1589802,#1589620,#1589624) - Remove patches included in upstream release - Note that this includes the fix for [CVE-2018-12020] ---- - doc Remove documentation for future option faked sys - build Don't use dev srandom on OpenBSD - Do not use C99 feature - g10 Fix regexp sanitization - g10 Push compress filter only if compressed - gpg Sanitize diagnostic with the original file name [CVE-2018-12020] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 110931
    published 2018-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110931
    title Fedora 27 : gnupg (2018-69780fc4d7)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180712_GNUPG2_ON_SL7_X.NASL
    description Security Fix(es) : - gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020)
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 111113
    published 2018-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111113
    title Scientific Linux Security Update : gnupg2 on SL7.x x86_64
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1221.NASL
    description According to the version of the gnupg2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output. (CVE-2018-12020) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-29
    plugin id 111183
    published 2018-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111183
    title EulerOS 2.0 SP2 : gnupg2 (EulerOS-SA-2018-1221)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3675-1.NASL
    description Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the status of the cryptographic operation reported by GnuPG. (CVE-2018-12020) Lance Vick discovered that GnuPG did not enforce configurations where key certification required an offline master Certify key. An attacker with access to a signing subkey could generate certifications that appeared to be valid. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-9234). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110475
    published 2018-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110475
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : gnupg, gnupg2 vulnerabilities (USN-3675-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1045.NASL
    description A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output.(CVE-2018-12020)
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 111605
    published 2018-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111605
    title Amazon Linux 2 : gnupg2 (ALAS-2018-1045)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180712_GNUPG2_ON_SL6_X.NASL
    description Security Fix(es) : - gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020)
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 111050
    published 2018-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111050
    title Scientific Linux Security Update : gnupg2 on SL6.x i386/x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_7DA0417F6B2411E884CC002590ACAE31.NASL
    description GnuPG reports : GnuPG did not sanitize input file names, which may then be output to the terminal. This could allow terminal control sequences or fake status messages to be injected into the output.
    last seen 2018-09-02
    modified 2018-08-31
    plugin id 110430
    published 2018-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110430
    title FreeBSD : gnupg -- unsanitized output (CVE-2018-12020) (7da0417f-6b24-11e8-84cc-002590acae31)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4224.NASL
    description Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
    last seen 2018-09-02
    modified 2018-08-31
    plugin id 110423
    published 2018-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110423
    title Debian DSA-4224-1 : gnupg - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1698-1.NASL
    description This update for gpg2 fixes the following security issue : - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110595
    published 2018-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110595
    title SUSE SLED12 / SLES12 Security Update : gpg2 (SUSE-SU-2018:1698-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-2180.NASL
    description An update for gnupg2 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es) : * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2018-09-01
    modified 2018-08-30
    plugin id 111078
    published 2018-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111078
    title CentOS 6 : gnupg2 (CESA-2018:2180)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-84FDBD021F.NASL
    description Important security update to new upstream gnupg version 2.2.8 and libgpg-error 1.31 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 110598
    published 2018-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110598
    title Fedora 27 : gnupg2 / libgpg-error (2018-84fdbd021f)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0239.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix CVE-2018-12020 - missing sanitization of original filename
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 111049
    published 2018-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111049
    title OracleVM 3.3 / 3.4 : gnupg2 (OVMSA-2018-0239)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4223.NASL
    description Marcus Brinkmann discovered that GnuPG performed insufficient sanitisation of file names displayed in status messages, which could be abused to fake the verification status of a signed email. Details can be found in the upstream advisory at https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 110422
    published 2018-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110422
    title Debian DSA-4223-1 : gnupg1 - security update
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-2181.NASL
    description From Red Hat Security Advisory 2018:2181 : An update for gnupg2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es) : * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 111025
    published 2018-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111025
    title Oracle Linux 7 : gnupg2 (ELSA-2018-2181)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3675-2.NASL
    description USN-3675-1 fixed a vulnerability in GnuPG 2 for Ubuntu 18.04 LTS and Ubuntu 17.10. This update provides the corresponding update for GnuPG 2 in Ubuntu 16.04 LTS and Ubuntu 14.04 LTS. Original advisory details : Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the status of the cryptographic operation reported by GnuPG. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110549
    published 2018-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110549
    title Ubuntu 14.04 LTS / 16.04 LTS : gnupg2 vulnerability (USN-3675-2)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-2180.NASL
    description From Red Hat Security Advisory 2018:2180 : An update for gnupg2 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es) : * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 111024
    published 2018-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111024
    title Oracle Linux 6 : gnupg2 (ELSA-2018-2180)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1045.NASL
    description A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output. (CVE-2018-12020)
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 110784
    published 2018-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110784
    title Amazon Linux AMI : gnupg / gnupg2 (ALAS-2018-1045)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-159-01.NASL
    description New gnupg2 packages are available for Slackware 13.37, 14.0, 14.1, 14.2, and - -current to fix a security issue.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110432
    published 2018-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110432
    title Slackware 13.37 / 14.0 / 14.1 / 14.2 / current : gnupg2 (SSA:2018-159-01)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-640.NASL
    description This update for gpg2 fixes the following security issue : - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745)
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110589
    published 2018-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110589
    title openSUSE Security Update : gpg2 (openSUSE-2018-640)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-630.NASL
    description This update for enigmail fixes vulnerabilities that allowed spoofing of e-mail signatures : - CVE-2018-12019: signature spoofing via specially crafted OpenPGP user IDs (boo#1097525) - CVE-2018-12020: signature spoofing via diagnostic output of the original file name in GnuPG verbose mode (boo#1096745) This mitigation prevents CVE-2018-12020 from being exploited even if GnuPG is not patched.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110586
    published 2018-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110586
    title openSUSE Security Update : enigmail (openSUSE-2018-630)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-646.NASL
    description This update for python-python-gnupg to version 0.4.3 fixes the following issues : The following security vulnerabilities were addressed : - Sanitize diagnostic output of the original file name in verbose mode (CVE-2018-12020 boo#1096745) The following other changes were made : - Add --no-verbose to the gpg command line, in case verbose is specified is gpg.conf. - Add expect_passphrase password for use on GnuPG >= 2.1 when passing passphrase to gpg via pinentry - Provide a trust_keys method to allow setting the trust level for keys - When the gpg executable is not found, note the path used in the exception message - Make error messages more informational
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110591
    published 2018-06-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110591
    title openSUSE Security Update : python-python-gnupg (openSUSE-2018-646)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-170-01.NASL
    description New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 110619
    published 2018-06-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110619
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : gnupg (SSA:2018-170-01)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2181.NASL
    description An update for gnupg2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es) : * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 111034
    published 2018-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111034
    title RHEL 7 : gnupg2 (RHSA-2018:2181)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2180.NASL
    description An update for gnupg2 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es) : * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 111033
    published 2018-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111033
    title RHEL 6 : gnupg2 (RHSA-2018:2180)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-2181.NASL
    description An update for gnupg2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. Security Fix(es) : * gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2018-09-02
    modified 2018-08-30
    plugin id 111079
    published 2018-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111079
    title CentOS 7 : gnupg2 (CESA-2018:2181)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1223.NASL
    description According to the version of the gnupg2 package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output. (CVE-2018-12020) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-08-29
    plugin id 111643
    published 2018-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111643
    title EulerOS 2.0 SP3 : gnupg2 (EulerOS-SA-2018-1223)
redhat via4
advisories
  • bugzilla
    id 1589620
    title CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment gnupg2 is earlier than 0:2.0.14-9.el6_10
          oval oval:com.redhat.rhsa:tst:20182180007
        • comment gnupg2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131459006
      • AND
        • comment gnupg2-smime is earlier than 0:2.0.14-9.el6_10
          oval oval:com.redhat.rhsa:tst:20182180005
        • comment gnupg2-smime is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131459008
    rhsa
    id RHSA-2018:2180
    released 2018-07-11
    severity Important
    title RHSA-2018:2180: gnupg2 security update (Important)
  • bugzilla
    id 1589620
    title CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment gnupg2 is earlier than 0:2.0.22-5.el7_5
          oval oval:com.redhat.rhsa:tst:20182181007
        • comment gnupg2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131459006
      • AND
        • comment gnupg2-smime is earlier than 0:2.0.22-5.el7_5
          oval oval:com.redhat.rhsa:tst:20182181005
        • comment gnupg2-smime is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131459008
    rhsa
    id RHSA-2018:2181
    released 2018-07-11
    severity Important
    title RHSA-2018:2181: gnupg2 security update (Important)
rpms
  • gnupg2-0:2.0.14-9.el6_10
  • gnupg2-smime-0:2.0.14-9.el6_10
  • gnupg2-0:2.0.22-5.el7_5
  • gnupg2-smime-0:2.0.22-5.el7_5
refmap via4
bid 104450
debian
  • DSA-4222
  • DSA-4223
  • DSA-4224
misc
sectrack 1041051
ubuntu
  • USN-3675-1
  • USN-3675-2
  • USN-3675-3
the hacker news via4
id THN:7AF4F467FCD2B758CD46FDBECE48E35F
last seen 2018-06-15
modified 2018-06-15
published 2018-06-15
reporter Swati Khandelwal
source https://thehackernews.com/2018/06/gnupg-encryption-signature.html
title GnuPG Flaw in Encryption Tools Lets Attackers Spoof Anyone's Signature
Last major update 08-06-2018 - 17:29
Published 08-06-2018 - 17:29
Last modified 01-08-2018 - 15:33
Back to Top