mpact ====== All current GnuPG versions are affected on all platforms. All mail clients and other applications which make use of GPG but are not utilizing the GPGME library might be affected. The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. The displayed file name is not sanitized and as such may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages. These status messages are parsed by programs to get information from gpg about the validity of a signature and an other parameters. Status messages are created with the option "--status-fd N" where N is a file descriptor. Now if N is 2 the status messages and the regular diagnostic messages share the stderr output channel. By using a made up file name in the message it is possible to fake status messages. Using this technique it is for example possible to fake the verification status of a signed mail. Although GnuPG takes great care to sanitize all diagnostic and status output, the case at hand was missed but finally found and reported by Marcus Brinkmann. CVE-2018-12020 was assigned to this bug; GnuPG tracks it at <https://dev/gnupg.org/T4012>. Solution ======== If your application uses GPGME your application is safe. Fortunately most modern mail readers use GPGME, including GpgOL and KMail. Mutt users should make sure to use "set crypt_use_gpgme". If you are parsing GnuPG status output and you use a dedicated file descriptor with --status-fd you are safe. A dedicated file descriptor is one that is not shared with the log output. The log output defaults to stderr (2) but may be a different if the option --logger-fd is used. If you are not using --verbose you are safe. But take care: --verbose might be specified in the config file. As a short term mitigation or if you can't immediately upgrade to the latest versions, you can add --no-verbose to the invocation of gpg. Another short term mitigation is to redirect the log output to a different file: For example "--log-file /dev/null". The suggested solution is to update to GnuPG 2.2.8 or a vendor provided update of their GnuPG version. To check whether the bug has been fixed you may use the simple test at the end of this mail [1].
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe590de14fb83ce48e1f71e505fc65fd919e4f59 commit fe590de14fb83ce48e1f71e505fc65fd919e4f59 Author: Kristian Fiskerstrand <k_f@gentoo.org> AuthorDate: 2018-06-08 14:53:01 +0000 Commit: Kristian Fiskerstrand <k_f@gentoo.org> CommitDate: 2018-06-08 15:00:23 +0000 app-crypt/gnupg: New upstream version 2.2.8 (security fix) Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-crypt/gnupg/Manifest | 1 + app-crypt/gnupg/gnupg-2.2.8.ebuild | 130 +++++++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+)
2.2.8 is rejected for stabilization, there will be a 2.2.9, presumably later today.
(In reply to Kristian Fiskerstrand from comment #2) > 2.2.8 is rejected for stabilization, there will be a 2.2.9, presumably later > today. For reference; https://lists.gnupg.org/pipermail/gnupg-devel/2018-June/033773.html
(In reply to Kristian Fiskerstrand from comment #3) > (In reply to Kristian Fiskerstrand from comment #2) > > 2.2.8 is rejected for stabilization, there will be a 2.2.9, presumably later > > today. > > For reference; > https://lists.gnupg.org/pipermail/gnupg-devel/2018-June/033773.html After speaking with upstream going for stabilization of 2.2.8, the main issue was the requirement for newer libgpg-error and the deps are already correct for the newer versions for us.
amd64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a54ed4dfc211139be027e1691bac4222150051e0 commit a54ed4dfc211139be027e1691bac4222150051e0 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-15 09:34:51 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-15 09:34:51 +0000 app-crypt/gnupg: stable 2.2.8 for ia64, bug #657596 Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ad4baec0c1a7945677a60e4858cfd26e6f6e820 commit 4ad4baec0c1a7945677a60e4858cfd26e6f6e820 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-15 09:34:36 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-15 09:34:36 +0000 dev-libs/libgpg-error: stable 1.29 for ia64, bug #657596 Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4dfef1590ec8ccd55bce908368f62f3248465eb commit d4dfef1590ec8ccd55bce908368f62f3248465eb Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-06-18 16:26:53 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-18 18:30:55 +0000 dev-libs/libgpg-error: stable 1.29 for sparc Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de999fba9469259f5b111b4e8df41011bfec4932 commit de999fba9469259f5b111b4e8df41011bfec4932 Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-06-18 16:26:22 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-18 18:30:52 +0000 app-crypt/gnupg: stable 2.2.8 for sparc Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
arm64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f7429b0c895cb2c1ad12568a6fedb4187801a3 commit 03f7429b0c895cb2c1ad12568a6fedb4187801a3 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 18:13:52 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 19:36:07 +0000 app-crypt/gnupg: stable 2.2.8 for ppc, bug #657596 Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=607d0890b68339657a625e5d8d24de251241cf76 commit 607d0890b68339657a625e5d8d24de251241cf76 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 17:44:27 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 19:35:37 +0000 dev-libs/libgpg-error: stable 1.29 for ppc, bug #657596 Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1281b81051d6110b128a0dbe93be3392d75a2ce2 commit 1281b81051d6110b128a0dbe93be3392d75a2ce2 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 20:08:44 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:21:08 +0000 app-crypt/gnupg: stable 2.2.8 for ppc64, bug #657596 Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" app-crypt/gnupg/gnupg-2.2.8.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01403628ca20177cbaf3d7935a02500d0d2bf7c3 commit 01403628ca20177cbaf3d7935a02500d0d2bf7c3 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-06-24 19:55:06 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-24 20:20:41 +0000 dev-libs/libgpg-error: stable 1.29 for ppc64, bug #657596 Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc64" dev-libs/libgpg-error/libgpg-error-1.29.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Stable on alpha.
arm stable, all arches done.
@maintainer(s), please clean.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abc2f318ed4a24ca6154f0ecc3cc9a23c4646f4b commit abc2f318ed4a24ca6154f0ecc3cc9a23c4646f4b Author: Kristian Fiskerstrand <k_f@gentoo.org> AuthorDate: 2018-07-08 11:21:46 +0000 Commit: Kristian Fiskerstrand <k_f@gentoo.org> CommitDate: 2018-07-08 11:21:46 +0000 app-crypt/gnupg: Cleanup old Bug: https://bugs.gentoo.org/657596 Package-Manager: Portage-2.3.40, Repoman-2.3.9 app-crypt/gnupg/Manifest | 5 -- app-crypt/gnupg/gnupg-2.1.15.ebuild | 157 --------------------------------- app-crypt/gnupg/gnupg-2.1.20-r1.ebuild | 122 ------------------------- app-crypt/gnupg/gnupg-2.2.4-r2.ebuild | 130 --------------------------- app-crypt/gnupg/gnupg-2.2.4.ebuild | 129 --------------------------- app-crypt/gnupg/gnupg-2.2.6.ebuild | 130 --------------------------- app-crypt/gnupg/gnupg-2.2.7.ebuild | 130 --------------------------- 7 files changed, 803 deletions(-)