Bug 1589620 (CVE-2018-12020)

Summary: CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bcl, crypto-team, p.malishev, rdieter, slawomir, tmraz, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnupg2 2.2.8 Doc Type: If docs needed, set a value
Doc Text:
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:28:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1589621, 1589622, 1589624, 1590366, 1590367, 1590378, 1590379, 1590380, 1724852, 1724853    
Bug Blocks: 1589623    

Description Sam Fowler 2018-06-11 01:45:51 UTC 
GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures.


External Reference:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html


Upstream Issue:

https://dev.gnupg.org/T4012


Upstream Patches:

https://dev.gnupg.org/rG2326851c60793653069494379b16d84e4c10a0ac
https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49
https://dev.gnupg.org/rG13f135c7a252cc46cff96e75968d92b6dc8dce1b
Comment 1 Sam Fowler 2018-06-11 01:46:16 UTC 
Created gnupg2 tracking bugs for this issue:

Affects: fedora-all [bug 1589621]
Comment 3 Sam Fowler 2018-06-11 01:49:38 UTC 
Created gnupg tracking bugs for this issue:

Affects: fedora-all [bug 1589624]
Comment 5 Scott Gayou 2018-06-11 19:21:36 UTC 
This can be demonstrated by the following:

echo hello > $'file\n[GNUPG:] FAKE'
# Note the newline in the parameter to the gpg call. Used tab completion for this.
gpg -o custompoc.gpg --passphrase abc -c 'file
[GNUPG:] FAKE'

gpg --passphrase abc --no-options -vd custompoc.gpg 2>&1
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
gpg: original file name='file
[GNUPG:] FAKE'
hello
Comment 9 Scott Gayou 2018-06-12 15:34:12 UTC 
Statement:

Red Hat Product Security has rated this issue as having a security impact of Important, and a future update may address this flaw.
Comment 11 Scott Gayou 2018-06-12 19:15:46 UTC 
Mitigation:

This flaw can be mitigated by appending the --no-verbose command line flag.
Comment 19 errata-xmlrpc 2018-07-11 20:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2180 https://access.redhat.com/errata/RHSA-2018:2180
Comment 20 errata-xmlrpc 2018-07-11 21:06:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2181 https://access.redhat.com/errata/RHSA-2018:2181