mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
18 Apr 2022, 17:30
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/12/msg00027.html - Mailing List, Third Party Advisory | |
References | (SECTRACK) http://www.securitytracker.com/id/1041051 - Broken Link | |
References | (BID) http://www.securityfocus.com/bid/104450 - Broken Link |
28 Dec 2021, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
Information
Published : 2018-06-08 21:29
Updated : 2023-12-10 12:30
NVD link : CVE-2018-12020
Mitre link : CVE-2018-12020
CVE.ORG link : CVE-2018-12020
JSON object : View
Products Affected
debian
- debian_linux
redhat
- enterprise_linux_server_eus
- enterprise_linux_server_aus
- enterprise_linux_server_tus
- enterprise_linux_server
- enterprise_linux_workstation
- enterprise_linux_desktop
gnupg
- gnupg
canonical
- ubuntu_linux
CWE
CWE-706
Use of Incorrectly-Resolved Name or Reference