SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   GnuPG (Gnu Privacy Guard) Vendors:   Gnupg.org
(Ubuntu Issues Fix) GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages
SecurityTracker Alert ID:  1041137
SecurityTracker URL:  http://securitytracker.com/id/1041137
CVE Reference:   CVE-2018-12020   (Links to External Site)
Date:  Jun 18 2018
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in GnuPG. A remote user can spoof status messages.

A remote user can send a signed and encrypted email message that includes the specially crafted name of the original input file to trigger an input validation flaw in the processing of filenames when displaying the filename. This can be exploited to spoof status messages and fake the verification status of a signed email message.

Applications that use the GPGME library are not affected.

Marcus Brinkmann reported this vulnerability.

Impact:   A remote user can spoof status messages and fake the verification status of a signed email message.
Solution:   Ubuntu has issued a fix.

The Ubuntu advisory is available at:

https://usn.ubuntu.com/usn/usn-3675-1

Vendor URL:  usn.ubuntu.com/usn/usn-3675-3 (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Ubuntu)
Underlying OS Comments:  12.04 ESM

Message History:   This archive entry is a follow-up to the message listed below.
Jun 10 2018 GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC