CVE-2018-12020
Published: 08 June 2018
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
From the Ubuntu security team
Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
enigmail Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.0.7)
|
Ubuntu 20.10 (Groovy Gorilla) |
Needed
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Needed
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needed
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was needed)
|
|
gnupg Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.4.18-7+deb8u5)
|
Ubuntu 20.10 (Groovy Gorilla) |
Does not exist
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(1.4.20-1ubuntu3.2)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(1.4.16-1ubuntu2.5)
|
|
gnupg1 Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.4.22-5)
|
Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(1.4.22-5)
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(1.4.22-5)
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
gnupg2 Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.2.8-1)
|
Ubuntu 20.10 (Groovy Gorilla) |
Released
(2.2.8-1ubuntu1)
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Released
(2.2.8-1ubuntu1)
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(2.2.4-1ubuntu1.1)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(2.1.11-6ubuntu2.1)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was released [2.0.22-3ubuntu1.4])
|
|
python-gnupg Launchpad, Ubuntu, Debian |
Upstream |
Released
(0.4.3-1)
|
Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(0.4.3-1ubuntu1)
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(0.4.1-1ubuntu1.18.04.1)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needed
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020
- https://dev.gnupg.org/T4012
- https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=210e402acd3e284b32db1901e43bf1470e659e49 (STABLE-BRANCH-2-2)
- https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac (STABLE-BRANCH-1-4)
- https://usn.ubuntu.com/usn/usn-3675-1
- https://sourceforge.net/p/enigmail/forum/announce/thread/b948279f/
- https://neopg.io/blog/gpg-signature-spoof/
- https://usn.ubuntu.com/usn/usn-3675-2
- https://usn.ubuntu.com/usn/usn-3675-3
- https://usn.ubuntu.com/usn/usn-3964-1
- NVD
- Launchpad
- Debian