CVE-2018-12020
Published: 08 June 2018
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
From the Ubuntu security team
Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
enigmail Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.0.7)
|
| Ubuntu 21.10 (Impish Indri) |
Needed
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Needed
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Needed
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(end of standard support, was needed)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was needed)
|
|
|
gnupg Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.4.18-7+deb8u5)
|
| Ubuntu 21.10 (Impish Indri) |
Does not exist
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(1.4.20-1ubuntu3.2)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(1.4.16-1ubuntu2.5)
|
|
|
gnupg1 Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.4.22-5)
|
| Ubuntu 21.10 (Impish Indri) |
Not vulnerable
(1.4.22-5)
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(1.4.22-5)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(1.4.22-5)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
gnupg2 Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.2.8-1)
|
| Ubuntu 21.10 (Impish Indri) |
Released
(2.2.8-1ubuntu1)
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Released
(2.2.8-1ubuntu1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Released
(2.2.8-1ubuntu1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(2.2.4-1ubuntu1.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(2.1.11-6ubuntu2.1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [2.0.22-3ubuntu1.4])
|
|
|
python-gnupg Launchpad, Ubuntu, Debian |
Upstream |
Released
(0.4.3-1)
|
| Ubuntu 21.10 (Impish Indri) |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(0.4.1-1ubuntu1.18.04.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Ignored
(end of standard support, was needed)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
- https://dev.gnupg.org/T4012
- https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49 (STABLE-BRANCH-2-2)
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac (STABLE-BRANCH-1-4)
- https://ubuntu.com/security/notices/USN-3675-1
- https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/
- https://neopg.io/blog/gpg-signature-spoof/
- https://ubuntu.com/security/notices/USN-3675-2
- https://ubuntu.com/security/notices/USN-3675-3
- https://ubuntu.com/security/notices/USN-3964-1
- NVD
- Launchpad
- Debian