Subject: [ASA-201806-8] gnupg: content spoofing Arch Linux Security Advisory ASA-201806-8 ========================================= Severity: High Date : 2018-06-11 CVE-ID : CVE-2018-12020 Package : gnupg Type : content spoofing Remote : Yes Link : https://security.archlinux.org/AVG-713 Summary ======= The package gnupg before version 2.2.8-1 is vulnerable to content spoofing. Resolution ========== Upgrade to 2.2.8-1. # pacman -Syu "gnupg>=2.2.8-1" The problem has been fixed upstream in version 2.2.8. Workaround ========== None. Description =========== A security issue has been found in gnupg before 2.2.8, leading to the possibility of faking verification status of signed content. The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. The displayed file name is not sanitized and as such may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages. These status messages are parsed by programs to get information from gpg about the validity of a signature and an other parameters. Status messages are created with the option "--status-fd N" where N is a file descriptor. Now if N is 2 the status messages and the regular diagnostic messages share the stderr output channel. By using a made up file name in the message it is possible to fake status messages. Using this technique it is for example possible to fake the verification status of a signed mail. Impact ====== A remote attacker might be able to fake the verification status of a signed e-mail or file, via a crafted file name. References ========== https://bugs.archlinux.org/task/58931 https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html https://dev.gnupg.org/T4012 https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49 https://security.archlinux.org/CVE-2018-12020