Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 657596 (CVE-2018-12020) - <app-crypt/gnupg-2.2.8: lack if file name sanitation allowing impact on status messages
Summary: <app-crypt/gnupg-2.2.8: lack if file name sanitation allowing impact on statu...
Status: RESOLVED FIXED
Alias: CVE-2018-12020
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://dev/gnupg.org/T4012
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on:
Blocks: 657058 659234
  Show dependency tree
 
Reported: 2018-06-08 14:38 UTC by Kristian Fiskerstrand
Modified: 2018-07-08 11:27 UTC (History)
4 users (show)

See Also:
Package list:
dev-libs/libgpg-error-1.29 app-crypt/gnupg-2.2.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2018-06-08 14:38:12 UTC
mpact
======

All current GnuPG versions are affected on all platforms.

All mail clients and other applications which make use of GPG but are
not utilizing the GPGME library might be affected.

The OpenPGP protocol allows to include the file name of the original
input file into a signed or encrypted message.  During decryption and
verification the GPG tool can display a notice with that file name.  The
displayed file name is not sanitized and as such may include line feeds
or other control characters.  This can be used inject terminal control
sequences into the out and, worse, to fake the so-called status
messages.  These status messages are parsed by programs to get
information from gpg about the validity of a signature and an other
parameters.  Status messages are created with the option "--status-fd N"
where N is a file descriptor.  Now if N is 2 the status messages and the
regular diagnostic messages share the stderr output channel.  By using a
made up file name in the message it is possible to fake status messages.
Using this technique it is for example possible to fake the verification
status of a signed mail.

Although GnuPG takes great care to sanitize all diagnostic and status
output, the case at hand was missed but finally found and reported by
Marcus Brinkmann.  CVE-2018-12020 was assigned to this bug; GnuPG tracks
it at <https://dev/gnupg.org/T4012>.


Solution
========

If your application uses GPGME your application is safe.  Fortunately
most modern mail readers use GPGME, including GpgOL and KMail.  Mutt
users should make sure to use "set crypt_use_gpgme".

If you are parsing GnuPG status output and you use a dedicated file
descriptor with --status-fd you are safe.  A dedicated file descriptor
is one that is not shared with the log output.  The log output defaults
to stderr (2) but may be a different if the option --logger-fd is used.

If you are not using --verbose you are safe.  But take care: --verbose
might be specified in the config file.  As a short term mitigation or if
you can't immediately upgrade to the latest versions, you can add
--no-verbose to the invocation of gpg.

Another short term mitigation is to redirect the log output to a
different file: For example "--log-file /dev/null".

The suggested solution is to update to GnuPG 2.2.8 or a vendor provided
update of their GnuPG version.

To check whether the bug has been fixed you may use the simple test at
the end of this mail [1].
Comment 1 Larry the Git Cow gentoo-dev 2018-06-08 15:00:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe590de14fb83ce48e1f71e505fc65fd919e4f59

commit fe590de14fb83ce48e1f71e505fc65fd919e4f59
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2018-06-08 14:53:01 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2018-06-08 15:00:23 +0000

    app-crypt/gnupg: New upstream version 2.2.8 (security fix)
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-crypt/gnupg/Manifest           |   1 +
 app-crypt/gnupg/gnupg-2.2.8.ebuild | 130 +++++++++++++++++++++++++++++++++++++
 2 files changed, 131 insertions(+)
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2018-06-09 04:35:41 UTC
2.2.8 is rejected for stabilization, there will be a 2.2.9, presumably later today.
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2018-06-13 20:24:07 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> 2.2.8 is rejected for stabilization, there will be a 2.2.9, presumably later
> today.

For reference; https://lists.gnupg.org/pipermail/gnupg-devel/2018-June/033773.html
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2018-06-13 20:38:04 UTC
(In reply to Kristian Fiskerstrand from comment #3)
> (In reply to Kristian Fiskerstrand from comment #2)
> > 2.2.8 is rejected for stabilization, there will be a 2.2.9, presumably later
> > today.
> 
> For reference;
> https://lists.gnupg.org/pipermail/gnupg-devel/2018-June/033773.html

After speaking with upstream going for stabilization of 2.2.8, the main issue was the requirement for newer libgpg-error and the deps are already correct for the newer versions for us.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-06-14 10:55:14 UTC
amd64 stable
Comment 6 Larry the Git Cow gentoo-dev 2018-06-15 09:35:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a54ed4dfc211139be027e1691bac4222150051e0

commit a54ed4dfc211139be027e1691bac4222150051e0
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-15 09:34:51 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-15 09:34:51 +0000

    app-crypt/gnupg: stable 2.2.8 for ia64, bug #657596
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ad4baec0c1a7945677a60e4858cfd26e6f6e820

commit 4ad4baec0c1a7945677a60e4858cfd26e6f6e820
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-15 09:34:36 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-15 09:34:36 +0000

    dev-libs/libgpg-error: stable 1.29 for ia64, bug #657596
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ia64"

 dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-06-17 23:31:00 UTC
x86 stable
Comment 8 Larry the Git Cow gentoo-dev 2018-06-18 18:31:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4dfef1590ec8ccd55bce908368f62f3248465eb

commit d4dfef1590ec8ccd55bce908368f62f3248465eb
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-06-18 16:26:53 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-18 18:30:55 +0000

    dev-libs/libgpg-error: stable 1.29 for sparc
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de999fba9469259f5b111b4e8df41011bfec4932

commit de999fba9469259f5b111b4e8df41011bfec4932
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-06-18 16:26:22 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-18 18:30:52 +0000

    app-crypt/gnupg: stable 2.2.8 for sparc
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 9 Mart Raudsepp gentoo-dev 2018-06-19 14:31:39 UTC
arm64 stable
Comment 10 Larry the Git Cow gentoo-dev 2018-06-24 19:39:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f7429b0c895cb2c1ad12568a6fedb4187801a3

commit 03f7429b0c895cb2c1ad12568a6fedb4187801a3
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 18:13:52 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:36:07 +0000

    app-crypt/gnupg: stable 2.2.8 for ppc, bug #657596
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=607d0890b68339657a625e5d8d24de251241cf76

commit 607d0890b68339657a625e5d8d24de251241cf76
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 17:44:27 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 19:35:37 +0000

    dev-libs/libgpg-error: stable 1.29 for ppc, bug #657596
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc"

 dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 Larry the Git Cow gentoo-dev 2018-06-24 20:23:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1281b81051d6110b128a0dbe93be3392d75a2ce2

commit 1281b81051d6110b128a0dbe93be3392d75a2ce2
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 20:08:44 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:21:08 +0000

    app-crypt/gnupg: stable 2.2.8 for ppc64, bug #657596
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01403628ca20177cbaf3d7935a02500d0d2bf7c3

commit 01403628ca20177cbaf3d7935a02500d0d2bf7c3
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2018-06-24 19:55:06 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-06-24 20:20:41 +0000

    dev-libs/libgpg-error: stable 1.29 for ppc64, bug #657596
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="ppc64"

 dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Tobias Klausmann gentoo-dev 2018-06-26 10:19:31 UTC
Stable on alpha.
Comment 13 Markus Meier gentoo-dev 2018-07-07 10:44:54 UTC
arm stable, all arches done.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-07-08 01:32:18 UTC
@maintainer(s), please clean.
Comment 15 Larry the Git Cow gentoo-dev 2018-07-08 11:22:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abc2f318ed4a24ca6154f0ecc3cc9a23c4646f4b

commit abc2f318ed4a24ca6154f0ecc3cc9a23c4646f4b
Author:     Kristian Fiskerstrand <k_f@gentoo.org>
AuthorDate: 2018-07-08 11:21:46 +0000
Commit:     Kristian Fiskerstrand <k_f@gentoo.org>
CommitDate: 2018-07-08 11:21:46 +0000

    app-crypt/gnupg: Cleanup old
    
    Bug: https://bugs.gentoo.org/657596
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 app-crypt/gnupg/Manifest               |   5 --
 app-crypt/gnupg/gnupg-2.1.15.ebuild    | 157 ---------------------------------
 app-crypt/gnupg/gnupg-2.1.20-r1.ebuild | 122 -------------------------
 app-crypt/gnupg/gnupg-2.2.4-r2.ebuild  | 130 ---------------------------
 app-crypt/gnupg/gnupg-2.2.4.ebuild     | 129 ---------------------------
 app-crypt/gnupg/gnupg-2.2.6.ebuild     | 130 ---------------------------
 app-crypt/gnupg/gnupg-2.2.7.ebuild     | 130 ---------------------------
 7 files changed, 803 deletions(-)