Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday June 13, @10:43AM   Printer-friendly
from the oops,my-bad dept.

If you're a developer relying on GnuPG, check upstream for an update that plugs an input sanitisation bug.

The short version, given in CVE-2018-12020, is that mainproc.c mishandles the filename, and as a result, an attacker can spoof the output it sends to other programs.

“For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes”, the Mitre advisory states.

GnuPG maintainer Werner Koch explained in more detail in this advisory.

The ability to include the input file name in a signed/encrypted message is part of the OpenPGP protocol, so he[sic] recipient can see what file is being decrypted. The bug is that the file name included for display doesn't get sanitised.

As a result, an attacker can include commands in a fake filename, because the filename “may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages”, Koch's note said.

[...] Koch attributed the discovery to Marcus Brinkmann, and Brinkmann had one complaint about how things were handled, as he wrote to the OSS-sec mailing list: "I tried to disclose this responsibly with Werner Koch (and in coordination with other affected projects), but within two hours he did a unilateral full disclosure without getting back to me."


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by driverless on Wednesday June 13, @12:04PM (4 children)

    by driverless (4770) on Wednesday June 13, @12:04PM (#692303)

    You have to wonder about a security program that's vulnerable to an attack that's been around since the 1980s. Back then you could upload Zip files with manipulated filenames to a BBS using your 2400 baud modem and cause interesting results based on what you'd done to the filename. Nearly thirty years later, an application specifically written for security is vulnerable to those same issues...

    There was an issue from around that time with Zip file comments, anyone checked whether GPG is vulnerable to that one as well?

    • (Score: 2, Interesting) by Anonymous Coward on Wednesday June 13, @01:37PM (1 child)

      by Anonymous Coward on Wednesday June 13, @01:37PM (#692324)

      This one is actually a completely valid filename that the terminal interprets in a way that causes the problem.

      If you're viewing it on anything other than a terminal, it isn't a problem.
      If you're viewing it on a hard-copy terminal, the problem is there, but the attempt to abuse it becomes obvious.

      Should every program be aware of every weird terminal that was ever made?

      (And why are command line programs still using character codes to control a terminal emulator rather than having an API for everything outside text, tab and newline?)

      • (Score: 0) by Anonymous Coward on Thursday June 14, @12:02AM

        by Anonymous Coward on Thursday June 14, @12:02AM (#692613)

        If you're viewing it on anything other than a terminal, it isn't a problem.

        This is not quite true, because the filename might still contain newlines and text that looks like gpg status lines. The problem is that some programs run gpg and then parse its output, and they might get confused into thinking a signature verification was successful when, in fact, it was not.

        The impact is still pretty low because programs using the library interface are unaffected. The gpgv command is also unaffected.

    • (Score: 0) by Anonymous Coward on Thursday June 14, @03:44AM (1 child)

      by Anonymous Coward on Thursday June 14, @03:44AM (#692683)

      You have to wonder about a security program that's vulnerable to an attack that's been around since the 1980s

      To be fair, do you know how many gnupg developers there are? Most people would rather point and laugh instead of doing anything useful.

      • (Score: 2) by driverless on Thursday June 14, @11:59AM

        by driverless (4770) on Thursday June 14, @11:59AM (#692833)

        You have to wonder about a security program that's vulnerable to an attack that's been around since the 1980s

        To be fair, do you know how many gnupg developers there are?

        I only have one doctor, but he still manages to sterilise his instruments before using them, it's just basic hygiene. And that's what this is, basic sanitisation of untrusted input data.

        Incidentally, congratulations for outing me as a "M$ sock puppet". Was it the OpenBSD logo on my desktop that gave the game away?

  • (Score: 0) by Anonymous Coward on Wednesday June 13, @04:49PM (3 children)

    by Anonymous Coward on Wednesday June 13, @04:49PM (#692398)

    This vulnerability manifests in systems that call gpg and friends as command line processes and parse their output (granted, a very common use method these days.)

    Real programmers who use actual APIs like GPGme closed this hole long ago.

    Slapping something together that just barely works isn't good enough for security. Implementing security interfaces in Perl, Ruby, and other semi-precious gems of scripting spaghetti is just begging for stuff like this.

    • (Score: 2) by realDonaldTrump on Wednesday June 13, @09:20PM (2 children)

      by realDonaldTrump (6614) Subscriber Badge on Wednesday June 13, @09:20PM (#692536) Homepage Journal

      I buy a lot of jewelry, so let me tell you. Ruby has always been precious. And it used to be that turquoise or obsidian were semi-precious. But the guy at Tiffany's tells me, any natural (not fake) stone they make jewelry with is now considered precious. Officially they're all precious so long as they're not fake. Although some are more precious than others. As everyone knows. And pearl is VERY SPECIAL, it's not a stone. But women GO NUTS over it!!!

      --
      #FreeDonaldTrump [twitter.com]
      • (Score: 3, Funny) by Snow on Wednesday June 13, @10:36PM (1 child)

        by Snow (1601) Subscriber Badge on Wednesday June 13, @10:36PM (#692578) Journal

        In Alberta, we have fossils. Lots and lots of fossils. Some are dinosaurs, some are trees, and some are just oil. We drilled up the oil, and sold it to America. We dug up the dinosaurs and put them in a museum (a ROYAL museum).

        Some guy (a very smart guy) found a fossil of a snail or something. It was shiny and green, maybe it was red, maybe yellow, I think it was red. He made it into a necklace and sold it -- smart guy. They made some videos showing how shiny and good it was, like a diamond, but it's not a diamond -- it's a really old dead sea snail that someone found in the ground.

        But the tourists! They LOVE it! They love it so much! The hotels, they have a channel (cruise ships have a channel too) and it shows you the ammolite, all day, every day. It shows you the colors and the necklaces. It's an INVESTMENT they tell you (it's not; it's a sea snail). But the tourists! They buy it up! They buy so much of it! They buy the snail-rocks and they think it's like a diamond!

        • (Score: 2) by realDonaldTrump on Thursday June 14, @12:33AM

          by realDonaldTrump (6614) Subscriber Badge on Thursday June 14, @12:33AM (#692619) Homepage Journal

          The ammolite is so beautiful. And the ladies love it. As you know. But unfortunately Canada has a HUGE trade surplus with my Country. With the USA.

          Trudeau came to see me, Justin from Canada. He said, "no, no, we have no trade deficit with you, we have none. Donald, please." Good-looking guy comes in -- "Donald, we have no trade deficit." He’s very proud because everybody else, you know, we’re getting killed. So, he’s proud. I said, "wrong, Justin, you do." I didn’t even know. I had no idea. I just said, "You’re wrong." You know why? Because we’re so stupid. And I thought they were smart. I said, "you’re wrong, Justin." He said, "nope, we have no trade deficit." I said, "well, in that case, I feel differently," I said, "but I don’t believe it." I sent one of our guys out. His guy, my guy, they went out. I said, "check, because I can’t believe it."

          "Well, sir, you’re actually right. We have no deficit, but that doesn't include energy and timber." Canada, a lot of timber. And when you do, we lose $17 billion a year. It’s incredible!!!

          --
          #FreeDonaldTrump [twitter.com]
(1)