GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures. External Reference: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html Upstream Issue: https://dev.gnupg.org/T4012 Upstream Patches: https://dev.gnupg.org/rG2326851c60793653069494379b16d84e4c10a0ac https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49 https://dev.gnupg.org/rG13f135c7a252cc46cff96e75968d92b6dc8dce1b
Created gnupg2 tracking bugs for this issue: Affects: fedora-all [bug 1589621]
Created gnupg tracking bugs for this issue: Affects: fedora-all [bug 1589624]
This can be demonstrated by the following: echo hello > $'file\n[GNUPG:] FAKE' # Note the newline in the parameter to the gpg call. Used tab completion for this. gpg -o custompoc.gpg --passphrase abc -c 'file [GNUPG:] FAKE' gpg --passphrase abc --no-options -vd custompoc.gpg 2>&1 gpg: AES encrypted data gpg: encrypted with 1 passphrase gpg: original file name='file [GNUPG:] FAKE' hello
Statement: Red Hat Product Security has rated this issue as having a security impact of Important, and a future update may address this flaw.
Mitigation: This flaw can be mitigated by appending the --no-verbose command line flag.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2180 https://access.redhat.com/errata/RHSA-2018:2180
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2181 https://access.redhat.com/errata/RHSA-2018:2181