CVE-2018-12020
Published: 8 June 2018
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
From the Ubuntu Security Team
Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.
Priority
Status
Package | Release | Status |
---|---|---|
enigmail Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Needed
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
xenial |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
jammy |
Needed
|
|
lunar |
Not vulnerable
(2:2.2.4-0.3)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(2.0.7)
|
|
gnupg Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
groovy |
Does not exist
|
|
jammy |
Does not exist
|
|
artful |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
hirsute |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Released
(1.4.16-1ubuntu2.5)
|
|
upstream |
Released
(1.4.18-7+deb8u5)
|
|
xenial |
Released
(1.4.20-1ubuntu3.2)
|
|
gnupg1 Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(1.4.22-5)
|
groovy |
Not vulnerable
(1.4.22-5)
|
|
jammy |
Not vulnerable
(1.4.22-5)
|
|
artful |
Ignored
(end of life)
|
|
bionic |
Needed
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Not vulnerable
(1.4.22-5)
|
|
focal |
Not vulnerable
(1.4.22-5)
|
|
hirsute |
Not vulnerable
(1.4.22-5)
|
|
kinetic |
Not vulnerable
(1.4.22-5)
|
|
lunar |
Not vulnerable
(1.4.22-5)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.4.22-5)
|
|
xenial |
Does not exist
|
|
python-gnupg Launchpad, Ubuntu, Debian |
xenial |
Released
(0.3.8-2ubuntu0.1~esm1)
Available with Ubuntu Pro |
artful |
Ignored
(end of life)
|
|
bionic |
Released
(0.4.1-1ubuntu1.18.04.1)
|
|
cosmic |
Released
(0.4.1-1ubuntu1.18.10.1)
|
|
disco |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
eoan |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
focal |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
groovy |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
hirsute |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
impish |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
jammy |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
kinetic |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
lunar |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
trusty |
Released
(0.3.6-1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(0.4.3-1)
|
|
gnupg2 Launchpad, Ubuntu, Debian |
artful |
Released
(2.1.15-1ubuntu8.1)
|
bionic |
Released
(2.2.4-1ubuntu1.1)
|
|
cosmic |
Released
(2.2.8-1ubuntu1)
|
|
disco |
Released
(2.2.8-1ubuntu1)
|
|
eoan |
Released
(2.2.8-1ubuntu1)
|
|
focal |
Released
(2.2.8-1ubuntu1)
|
|
groovy |
Released
(2.2.8-1ubuntu1)
|
|
hirsute |
Released
(2.2.8-1ubuntu1)
|
|
impish |
Released
(2.2.8-1ubuntu1)
|
|
jammy |
Released
(2.2.8-1ubuntu1)
|
|
kinetic |
Released
(2.2.8-1ubuntu1)
|
|
lunar |
Released
(2.2.8-1ubuntu1)
|
|
trusty |
Released
(2.0.22-3ubuntu1.4)
|
|
upstream |
Released
(2.2.8-1)
|
|
xenial |
Released
(2.1.11-6ubuntu2.1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
- https://dev.gnupg.org/T4012
- https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49 (STABLE-BRANCH-2-2)
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac (STABLE-BRANCH-1-4)
- https://ubuntu.com/security/notices/USN-3675-1
- https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/
- https://neopg.io/blog/gpg-signature-spoof/
- https://ubuntu.com/security/notices/USN-3675-2
- https://ubuntu.com/security/notices/USN-3675-3
- https://ubuntu.com/security/notices/USN-3964-1
- https://ubuntu.com/security/notices/USN-4839-1
- NVD
- Launchpad
- Debian