CVE-2018-12020
Published: 8 June 2018
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
From the Ubuntu security team
Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
enigmail Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
bionic |
Needed
|
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Ignored
(reached end-of-life)
|
|
eoan |
Ignored
(reached end-of-life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(reached end-of-life)
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Needed
|
|
jammy |
Needed
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(2.0.7)
|
|
xenial |
Ignored
(end of standard support, was needed)
|
|
gnupg Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Released
(1.4.11-3ubuntu2.11)
|
|
trusty |
Released
(1.4.16-1ubuntu2.5)
|
|
upstream |
Released
(1.4.18-7+deb8u5)
|
|
xenial |
Released
(1.4.20-1ubuntu3.2)
|
|
gnupg1 Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
bionic |
Needed
|
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Ignored
(reached end-of-life)
|
|
eoan |
Not vulnerable
(1.4.22-5)
|
|
focal |
Not vulnerable
(1.4.22-5)
|
|
groovy |
Not vulnerable
(1.4.22-5)
|
|
hirsute |
Not vulnerable
(1.4.22-5)
|
|
impish |
Not vulnerable
(1.4.22-5)
|
|
jammy |
Not vulnerable
(1.4.22-5)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.4.22-5)
|
|
xenial |
Does not exist
|
|
gnupg2 Launchpad, Ubuntu, Debian |
artful |
Released
(2.1.15-1ubuntu8.1)
|
bionic |
Released
(2.2.4-1ubuntu1.1)
|
|
cosmic |
Released
(2.2.8-1ubuntu1)
|
|
disco |
Released
(2.2.8-1ubuntu1)
|
|
eoan |
Released
(2.2.8-1ubuntu1)
|
|
focal |
Released
(2.2.8-1ubuntu1)
|
|
groovy |
Released
(2.2.8-1ubuntu1)
|
|
hirsute |
Released
(2.2.8-1ubuntu1)
|
|
impish |
Released
(2.2.8-1ubuntu1)
|
|
jammy |
Released
(2.2.8-1ubuntu1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was released [2.0.22-3ubuntu1.4])
|
|
upstream |
Released
(2.2.8-1)
|
|
xenial |
Released
(2.1.11-6ubuntu2.1)
|
|
python-gnupg Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
bionic |
Released
(0.4.1-1ubuntu1.18.04.1)
|
|
cosmic |
Released
(0.4.1-1ubuntu1.18.10.1)
|
|
disco |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
eoan |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
focal |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
groovy |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
hirsute |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
impish |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
jammy |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
precise |
Does not exist
|
|
trusty |
Needed
|
|
upstream |
Released
(0.4.3-1)
|
|
xenial |
Ignored
(end of standard support, was needed)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
- https://dev.gnupg.org/T4012
- https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49 (STABLE-BRANCH-2-2)
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac (STABLE-BRANCH-1-4)
- https://ubuntu.com/security/notices/USN-3675-1
- https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/
- https://neopg.io/blog/gpg-signature-spoof/
- https://ubuntu.com/security/notices/USN-3675-2
- https://ubuntu.com/security/notices/USN-3675-3
- https://ubuntu.com/security/notices/USN-3964-1
- NVD
- Launchpad
- Debian