GnuPG Vulnerability Allows Spoofing of Message Signatures

guest · Jun 14, 2018

GnuPG Vulnerability Allows Spoofing of Message Signatures
GnuPG recently addressed an input sanitization vulnerability where a remote attacker could spoof arbitrary signatures.
June 14, 2018
https://www.securityweek.com/gnupg-vulnerability-allows-spoofing-message-signatures

Released earlier this month, GnuPG version 2.2.8 addresses CVE-2018-12020, a vulnerability affecting GnuPG, Enigmail, GPGTools and python-gnupg, Marcus Brinkmann, who discovered the bug, reveals. Brinkmann has dubbed the flaw SigSpoof.

Status messages, GnuPG maintainer Werner Koch explains, are parsed by programs to get information from GPG about the validity of a signature. Status messages are created with the option “--status-fd N,” where N is a file descriptor. If N is 2, status messages and regular diagnostic messages share the stderr output channel.

The issue resides in the OpenPGP protocol allowing the inclusion of the file name of the original input file into a signed or encrypted message. The GnuPG tool can display a notice with that file name during decryption and verification, but it does not sanitize the file name, meaning that an attacker could include line feeds or other control characters in it.
Click to expand...

Log in or Sign up

GnuPG Vulnerability Allows Spoofing of Message Signatures

guest Guest

Log in or Sign up

GnuPG Vulnerability Allows Spoofing of Message Signatures

guest Guest

Useful Searches