SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Security)  >   GnuPG (Gnu Privacy Guard) Vendors:   Gnupg.org
GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages
SecurityTracker Alert ID:  1041051
SecurityTracker URL:  http://securitytracker.com/id/1041051
CVE Reference:   CVE-2018-12020   (Links to External Site)
Date:  Jun 10 2018
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in GnuPG. A remote user can spoof status messages.

A remote user can send a signed and encrypted email message that includes the specially crafted name of the original input file to trigger an input validation flaw in the processing of filenames when displaying the filename. This can be exploited to spoof status messages and fake the verification status of a signed email message.

Applications that use the GPGME library are not affected.

Marcus Brinkmann reported this vulnerability.

Impact:   A remote user can spoof status messages and fake the verification status of a signed email message.
Solution:   The vendor has issued a fix (2.2.8).

The vendor advisory is available at:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

Vendor URL:  gnupg.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 12 2018 (Ubuntu Issues Fix) GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.10, and 18.04 LTS.
Jun 15 2018 (Ubuntu Issues Fix) GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS and 16.04 LTS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC