Уязвимость CVE-2018-12020: Информация

Описание

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Важность: HIGH (7,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-12020
Опубликовано: 9 июня 2018 г.
Изменено: 18 апреля 2022 г.
Идентификатор типа ошибки: CWE-706

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
gnupgsisyphus1.4.22-alt21.4.23-alt4ALT-PU-2018-1884-1208098Исправлено
gnupgp101.4.22-alt21.4.23-alt4ALT-PU-2018-1884-1208098Исправлено
gnupgp91.4.22-alt21.4.23-alt1ALT-PU-2018-1884-1208098Исправлено
gnupgc10f11.4.22-alt21.4.23-alt4ALT-PU-2018-1884-1208098Исправлено
gnupgc9f21.4.22-alt21.4.23-alt1ALT-PU-2018-1884-1208098Исправлено
gnupgp111.4.22-alt21.4.23-alt4ALT-PU-2018-1884-1208098Исправлено
gnupg2sisyphus2.2.8-alt1.S12.4.3-alt1ALT-PU-2018-1881-1208079Исправлено
gnupg2p102.2.8-alt1.S12.2.33-alt1ALT-PU-2018-1881-1208079Исправлено
gnupg2p92.2.8-alt1.S12.2.19-alt2ALT-PU-2018-1881-1208079Исправлено
gnupg2p82.2.8-alt1.M80P.12.2.10-alt4ALT-PU-2018-1889-1208080Исправлено
gnupg2c10f12.2.8-alt1.S12.2.33-alt1ALT-PU-2018-1881-1208079Исправлено
gnupg2c9f22.2.8-alt1.S12.2.19-alt2ALT-PU-2018-1881-1208079Исправлено
gnupg2p112.2.8-alt1.S12.4.3-alt1ALT-PU-2018-1881-1208079Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
  • Mailing List
  • Vendor Advisory
https://dev.gnupg.org/T4012
  • Patch
  • Vendor Advisory
http://openwall.com/lists/oss-security/2018/06/08/2
  • Mailing List
  • Third Party Advisory
DSA-4224
  • Third Party Advisory
DSA-4223
  • Third Party Advisory
DSA-4222
  • Third Party Advisory
1041051
  • Broken Link
USN-3675-1
  • Third Party Advisory
104450
  • Broken Link
USN-3675-2
  • Third Party Advisory
USN-3675-3
  • Third Party Advisory
RHSA-2018:2181
  • Third Party Advisory
RHSA-2018:2180
  • Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
  • Third Party Advisory
[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)
  • Mailing List
  • Third Party Advisory
20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients
  • Mailing List
  • Third Party Advisory
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
  • Third Party Advisory
  • VDB Entry
USN-3964-1
  • Third Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
  • Technical Description
  • Third Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-Fired
  • Technical Description
  • Third Party Advisory
[debian-lts-announce] 20211228 [SECURITY] [DLA 2862-1] python-gnupg security update
  • Mailing List
  • Third Party Advisory

    1. Конфигурация 1

      cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
      cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

      Конфигурация 2

      cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
      cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

      Конфигурация 3

      cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
      cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

      Конфигурация 4

      cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*
      End excliding
      2.2.8
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Версия: v24.5.3
Наверх