Bug 1589620 (CVE-2018-12020) - CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification
Summary: CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the disp...
Alias: CVE-2018-12020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1589621 1589622 1589624 1590366 1590367 1590378 1590379 1590380 1724852 1724853
Blocks: 1589623
TreeView+ depends on / blocked
Reported: 2018-06-11 01:45 UTC by Sam Fowler
Modified: 2022-03-13 15:05 UTC (History)
7 users (show)

Fixed In Version: gnupg2 2.2.8
Doc Type: If docs needed, set a value
Doc Text:
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output.
Clone Of:
Last Closed: 2019-06-10 10:28:34 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2180 0 None None None 2018-07-11 20:47:13 UTC
Red Hat Product Errata RHSA-2018:2181 0 None None None 2018-07-11 21:06:18 UTC

Description Sam Fowler 2018-06-11 01:45:51 UTC
GnuPG before version 2.2.8 does not properly sanitize original filenames of signed or encrypted messages allowing for the insertion of line feeds and other control characters. An attacker could exploit this by injecting such characters to craft status messages and fake the validity of signatures.

External Reference:


Upstream Issue:


Upstream Patches:


Comment 1 Sam Fowler 2018-06-11 01:46:16 UTC
Created gnupg2 tracking bugs for this issue:

Affects: fedora-all [bug 1589621]

Comment 3 Sam Fowler 2018-06-11 01:49:38 UTC
Created gnupg tracking bugs for this issue:

Affects: fedora-all [bug 1589624]

Comment 5 Scott Gayou 2018-06-11 19:21:36 UTC
This can be demonstrated by the following:

echo hello > $'file\n[GNUPG:] FAKE'
# Note the newline in the parameter to the gpg call. Used tab completion for this.
gpg -o custompoc.gpg --passphrase abc -c 'file

gpg --passphrase abc --no-options -vd custompoc.gpg 2>&1
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
gpg: original file name='file

Comment 9 Scott Gayou 2018-06-12 15:34:12 UTC

Red Hat Product Security has rated this issue as having a security impact of Important, and a future update may address this flaw.

Comment 11 Scott Gayou 2018-06-12 19:15:46 UTC

This flaw can be mitigated by appending the --no-verbose command line flag.

Comment 19 errata-xmlrpc 2018-07-11 20:47:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2180 https://access.redhat.com/errata/RHSA-2018:2180

Comment 20 errata-xmlrpc 2018-07-11 21:06:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2181 https://access.redhat.com/errata/RHSA-2018:2181

Note You need to log in before you can comment on or make changes to this bug.