oss-sec mailing list archives
CVE-2018-12020, CVE-2018-12019 in GnuPG, Enigmails, GPGTools, python-gnupg
From: Marcus Brinkmann <marcus.brinkmann () ruhr-uni-bochum de>
Date: Wed, 13 Jun 2018 20:22:23 +0200
I have published my reports: CVE-2018-12020: The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “--status-fd 2” option, which allows remote attackers to spoof arbitrary signatures via the embedded “filename” parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file. https://neopg.io/blog/gpg-signature-spoof/ CVE-2018-12019: The signature verification routine in Enigmail 2.0.6.1 interprets user ids as status/control messages and does not correctly keep track of the status of multiple signatures, which allows remote attackers to spoof arbitrary email signatures via public keys containing crafted primary user ids. https://neopg.io/blog/enigmail-signature-spoof/ It would be prudent for developers of GnuPG-based applications to check for similar issues in their software. I did a lot of due diligence to check critical infrastructure, but there were several "near misses" that make me fear that there are still some affected products out there.
Current thread:
- CVE-2018-12020, CVE-2018-12019 in GnuPG, Enigmails, GPGTools, python-gnupg Marcus Brinkmann (Jun 13)