SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   GnuPG (Gnu Privacy Guard) Vendors:   Gnupg.org
(Oracle Issues Fix for Oracle Linux) GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages
SecurityTracker Alert ID:  1041278
SecurityTracker URL:  http://securitytracker.com/id/1041278
CVE Reference:   CVE-2018-12020   (Links to External Site)
Date:  Jul 12 2018
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in GnuPG. A remote user can spoof status messages.

A remote user can send a signed and encrypted email message that includes the specially crafted name of the original input file to trigger an input validation flaw in the processing of filenames when displaying the filename. This can be exploited to spoof status messages and fake the verification status of a signed email message.

Applications that use the GPGME library are not affected.

Marcus Brinkmann reported this vulnerability.

Impact:   A remote user can spoof status messages and fake the verification status of a signed email message.
Solution:   Oracle has issued a fix.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2018-2181.html

Vendor URL:  linux.oracle.com/errata/ELSA-2018-2181.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Jun 10 2018 GnuPG Filename Input Validation Flaw Lets Remote Users Spoof Status Messages



 Source Message Contents

Subject:  [El-errata] ELSA-2018-2181 Important: Oracle Linux 7 gnupg2 security update

Oracle Linux Security Advisory ELSA-2018-2181

http://linux.oracle.com/errata/ELSA-2018-2181.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
gnupg2-2.0.22-5.el7_5.x86_64.rpm
gnupg2-smime-2.0.22-5.el7_5.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/gnupg2-2.0.22-5.el7_5.src.rpm



Description of changes:

[2.0.22-5]
- fix CVE-2018-12020 - missing sanitization of original filename


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC