Bug 1589620 (CVE-2018-12020) - CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
Summary: CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the disp...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-12020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1589621 1589622 1589624 1590366 1590367 1590378 1590379 1590380 1724852 1724853
Blocks: 1589623
TreeView+ depends on / blocked
 
Reported: 2018-06-11 01:45 UTC by Sam Fowler
Modified: 2022-03-13 15:05 UTC (History)
7 users (show)

Fixed In Version: gnupg2 2.2.8
Doc Type: If docs needed, set a value
Doc Text:
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:28:34 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2180 0 None None None 2018-07-11 20:47:13 UTC
Red Hat Product Errata RHSA-2018:2181 0 None None None 2018-07-11 21:06:18 UTC

Description Sam Fowler 2018-06-11 01:45:51 UTC 
GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures.


External Reference:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html


Upstream Issue:

https://dev.gnupg.org/T4012


Upstream Patches:

https://dev.gnupg.org/rG2326851c60793653069494379b16d84e4c10a0ac
https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49
https://dev.gnupg.org/rG13f135c7a252cc46cff96e75968d92b6dc8dce1b
Comment 1 Sam Fowler 2018-06-11 01:46:16 UTC 
Created gnupg2 tracking bugs for this issue:

Affects: fedora-all [bug 1589621]
Comment 3 Sam Fowler 2018-06-11 01:49:38 UTC 
Created gnupg tracking bugs for this issue:

Affects: fedora-all [bug 1589624]
Comment 5 Scott Gayou 2018-06-11 19:21:36 UTC 
This can be demonstrated by the following:

echo hello > $'file\n[GNUPG:] FAKE'
# Note the newline in the parameter to the gpg call. Used tab completion for this.
gpg -o custompoc.gpg --passphrase abc -c 'file
[GNUPG:] FAKE'

gpg --passphrase abc --no-options -vd custompoc.gpg 2>&1
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
gpg: original file name='file
[GNUPG:] FAKE'
hello
Comment 9 Scott Gayou 2018-06-12 15:34:12 UTC 
Statement:

Red Hat Product Security has rated this issue as having a security impact of Important, and a future update may address this flaw.
Comment 11 Scott Gayou 2018-06-12 19:15:46 UTC 
Mitigation:

This flaw can be mitigated by appending the --no-verbose command line flag.
Comment 19 errata-xmlrpc 2018-07-11 20:47:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2180 https://access.redhat.com/errata/RHSA-2018:2180
Comment 20 errata-xmlrpc 2018-07-11 21:06:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2181 https://access.redhat.com/errata/RHSA-2018:2181
Note You need to log in before you can comment on or make changes to this bug.