CVE-2018-12020

Source
Severity High
Remote Yes
Type Content spoofing
Description
A security issue has been found in gnupg before 2.2.8, leading to the possibility of faking verification status of signed content. The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. The displayed file name is not sanitized and as such may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages. These status messages are parsed by programs to get information from gpg about the validity of a signature and an other parameters. Status messages are created with the option "--status-fd N" where N is a file descriptor. Now if N is 2 the status messages and the regular diagnostic messages share the stderr output channel. By using a made up file name in the message it is possible to fake status messages. Using this technique it is for example possible to fake the verification status of a signed mail.
Group Package Affected Fixed Severity Status Ticket
AVG-713 gnupg 2.2.7-1 2.2.8-1 High Fixed FS#58931
Date Advisory Group Package Severity Description
11 Jun 2018 ASA-201806-8 AVG-713 gnupg High content spoofing
References
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
https://dev.gnupg.org/T4012
https://dev.gnupg.org/rG210e402acd3e284b32db1901e43bf1470e659e49