Unrated severityNVD Advisory· Published Jun 8, 2018· Updated Aug 5, 2024
CVE-2018-12020
CVE-2018-12020
Description
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
48- osv-coords47 versionspkg:apk/chainguard/gnupgpkg:apk/chainguard/gnupg-dirmngrpkg:apk/chainguard/gnupg-docpkg:apk/chainguard/gnupg-gpgconfpkg:apk/chainguard/gnupg-langpkg:apk/chainguard/gnupg-scdaemonpkg:apk/chainguard/gnupg-utilspkg:apk/chainguard/gnupg-wks-clientpkg:apk/chainguard/gpgpkg:apk/chainguard/gpg-agentpkg:apk/chainguard/gpgsmpkg:apk/chainguard/gpgvpkg:apk/chainguard/gpg-wks-serverpkg:apk/wolfi/gnupgpkg:apk/wolfi/gnupg-dirmngrpkg:apk/wolfi/gnupg-docpkg:apk/wolfi/gnupg-gpgconfpkg:apk/wolfi/gnupg-langpkg:apk/wolfi/gnupg-scdaemonpkg:apk/wolfi/gnupg-utilspkg:apk/wolfi/gnupg-wks-clientpkg:apk/wolfi/gpgpkg:apk/wolfi/gpg-agentpkg:apk/wolfi/gpgsmpkg:apk/wolfi/gpgvpkg:apk/wolfi/gpg-wks-serverpkg:rpm/opensuse/enigmail&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/gpg2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-python-gnupg&distro=openSUSE%20Tumbleweedpkg:rpm/suse/enigmail&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015pkg:rpm/suse/gpg2&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/gpg2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/gpg2&distro=SUSE%20OpenStack%20Cloud%207
< 0+ 46 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.2.4-1.4
- (no CPE)range: < 2.2.27-2.4
- (no CPE)range: < 0.5.2-1.5
- (no CPE)range: < 2.0.7-3.7.2
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.2.5-4.3.1
- (no CPE)range: < 2.0.9-25.33.42.3.1
- (no CPE)range: < 2.0.9-25.33.42.3.1
- (no CPE)range: < 2.0.9-25.33.42.3.1
- (no CPE)range: < 2.0.9-25.33.42.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.9-25.33.42.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
- (no CPE)range: < 2.0.24-9.3.1
Patches
Vulnerability mechanics
References
20- access.redhat.com/errata/RHSA-2018:2180mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2018:2181mitrevendor-advisoryx_refsource_REDHAT
- usn.ubuntu.com/3675-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/3675-2/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/3675-3/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/3964-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4222mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2018/dsa-4223mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2018/dsa-4224mitrevendor-advisoryx_refsource_DEBIAN
- openwall.com/lists/oss-security/2018/06/08/2mitrex_refsource_MISC
- packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Apr/38mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2019/04/30/4mitremailing-listx_refsource_MLIST
- www.securityfocus.com/bid/104450mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041051mitrevdb-entryx_refsource_SECTRACK
- dev.gnupg.org/T4012mitrex_refsource_MISC
- github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdfmitrex_refsource_MISC
- help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0mitrex_refsource_CONFIRM
- lists.debian.org/debian-lts-announce/2021/12/msg00027.htmlmitremailing-listx_refsource_MLIST
- lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.