Packages

  • Status Closed
  • Percent Complete
    100%
  • Task Type Security Issue
  • Category Any
  • Assigned To
    Emulatorman
  • Operating System All
  • Severity High
  • Priority Very High
  • Reported Version Any
  • Due in Version Starfix
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Packages
Opened by bugmen0t - 21/06/2018
Last edited by Emulatorman - 23/06/2018

FS#1027 - [gnupg] CVE-2018-12020

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

We are pleased to announce the availability of a new GnuPG release:
version 2.2.8. This version fixes a critical security bug and comes
with some other minor changes.
Closed by  Emulatorman
23.06.2018 17:57
Reason for closing:  Fixed
bugmen0t commented on 21.06.2018 16:52

https://security-tracker.debian.org/tracker/CVE-2018-12020

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "–status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Admin
Emulatorman commented on 22.06.2018 02:02

Debian pushed a new patch (see attachment) to solve this issue in its stable version of GnuPG (2.1.18-8~deb9u2) [0] , therefore upgrade Debian patches in our package is enough to fix this issue.

   0079-gpg-Sanitize-diagnostic-... (1.8 KiB)
Admin
Emulatorman commented on 23.06.2018 17:56

I've pushed a new package called gnupg-stable that replaces gnupg, it contains the required patches to solve the issue. So, i'm closing this report, thank you for the report!

Date User Effort (H:M)
watch my effort tracking timers

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing