• Status Closed
  • Percent Complete
  • Task Type Security Issue
  • Category Any
  • Assigned To
  • Operating System All
  • Severity High
  • Priority Very High
  • Reported Version Any
  • Due in Version Starfix
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Packages
Opened by bugmen0t - 21/06/2018
Last edited by Emulatorman - 23/06/2018

FS#1027 - [gnupg] CVE-2018-12020

We are pleased to announce the availability of a new GnuPG release:
version 2.2.8. This version fixes a critical security bug and comes
with some other minor changes.
Closed by  Emulatorman
23.06.2018 17:57
Reason for closing:  Fixed

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "–status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Debian pushed a new patch (see attachment) to solve this issue in its stable version of GnuPG (2.1.18-8~deb9u2) [0] , therefore upgrade Debian patches in our package is enough to fix this issue.


I've pushed a new package called gnupg-stable that replaces gnupg, it contains the required patches to solve the issue. So, i'm closing this report, thank you for the report!

Date User Effort (H:M)
watch my effort tracking timers


Available keyboard shortcuts


Task Details

Task Editing