Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1589620 - (CVE-2018-12020) CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the disp...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180608,repo...
: Security
Depends On: 1589621 1589622 1589624 1590366 1590367 1590378 1590379 1590380
Blocks: 1589623
  Show dependency treegraph
 
Reported: 2018-06-10 21:45 EDT by Sam Fowler
Modified: 2018-07-11 17:06 EDT (History)
9 users (show)

See Also:
Fixed In Version: gnupg2 2.2.8
Doc Type: If docs needed, set a value
Doc Text:
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2180 None None None 2018-07-11 16:47 EDT
Red Hat Product Errata RHSA-2018:2181 None None None 2018-07-11 17:06 EDT

  None (edit)
Description Sam Fowler 2018-06-10 21:45:51 EDT
GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures.


External Reference:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html


Upstream Issue:

https://dev.gnupg.org/T4012


Upstream Patches:

https://dev.gnupg.org/rG2326851c60793653069494379b16d84e4c10a0ac
https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49
https://dev.gnupg.org/rG13f135c7a252cc46cff96e75968d92b6dc8dce1b
Comment 1 Sam Fowler 2018-06-10 21:46:16 EDT
Created gnupg2 tracking bugs for this issue:

Affects: fedora-all [bug 1589621]
Comment 3 Sam Fowler 2018-06-10 21:49:38 EDT
Created gnupg tracking bugs for this issue:

Affects: fedora-all [bug 1589624]
Comment 5 Scott Gayou 2018-06-11 15:21:36 EDT
This can be demonstrated by the following:

echo hello > $'file\n[GNUPG:] FAKE'
# Note the newline in the parameter to the gpg call. Used tab completion for this.
gpg -o custompoc.gpg --passphrase abc -c 'file
[GNUPG:] FAKE'

gpg --passphrase abc --no-options -vd custompoc.gpg 2>&1
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
gpg: original file name='file
[GNUPG:] FAKE'
hello
Comment 9 Scott Gayou 2018-06-12 11:34:12 EDT
Statement:

Red Hat Product Security has rated this issue as having a security impact of Important, and a future update may address this flaw.
Comment 11 Scott Gayou 2018-06-12 15:15:46 EDT
Mitigation:

This flaw can be mitigated by appending the --no-verbose command line flag.
Comment 19 errata-xmlrpc 2018-07-11 16:47:05 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2180 https://access.redhat.com/errata/RHSA-2018:2180
Comment 20 errata-xmlrpc 2018-07-11 17:06:11 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2181 https://access.redhat.com/errata/RHSA-2018:2181

Note You need to log in before you can comment on or make changes to this bug.