Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday June 13, @10:43AM   Printer-friendly
from the oops,my-bad dept.

If you're a developer relying on GnuPG, check upstream for an update that plugs an input sanitisation bug.

The short version, given in CVE-2018-12020, is that mainproc.c mishandles the filename, and as a result, an attacker can spoof the output it sends to other programs.

“For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes”, the Mitre advisory states.

GnuPG maintainer Werner Koch explained in more detail in this advisory.

The ability to include the input file name in a signed/encrypted message is part of the OpenPGP protocol, so he[sic] recipient can see what file is being decrypted. The bug is that the file name included for display doesn't get sanitised.

As a result, an attacker can include commands in a fake filename, because the filename “may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages”, Koch's note said.

[...] Koch attributed the discovery to Marcus Brinkmann, and Brinkmann had one complaint about how things were handled, as he wrote to the OSS-sec mailing list: "I tried to disclose this responsibly with Werner Koch (and in coordination with other affected projects), but within two hours he did a unilateral full disclosure without getting back to me."


Original Submission

 

Reply to: The 1980s called...

    (Score: 2) by driverless on Wednesday June 13, @12:04PM

    by driverless (4770) on Wednesday June 13, @12:04PM (#692303)

    You have to wonder about a security program that's vulnerable to an attack that's been around since the 1980s. Back then you could upload Zip files with manipulated filenames to a BBS using your 2400 baud modem and cause interesting results based on what you'd done to the filename. Nearly thirty years later, an application specifically written for security is vulnerable to those same issues...

    There was an issue from around that time with Zip file comments, anyone checked whether GPG is vulnerable to that one as well?

Post Comment

Edit Comment You are not logged in. You can log in now using the convenient form below, or Create an Account, or post as Anonymous Coward.

Public Terminal

Anonymous Coward [ Create an Account ]

Use the Preview Button! Check those URLs!


Logged-in users aren't forced to preview their comments. Create an Account!

Allowed HTML
<b|i|p|br|a|ol|ul|li|dl|dt|dd|em|strong|tt|blockquote|div|ecode|quote|sup|sub|abbr|sarc|sarcasm|user|spoiler|del|s|strike>

URLs
<URL:http://example.com/> will auto-link a URL

Important Stuff

  • Please try to keep posts on topic.
  • Try to reply to other people's comments instead of starting new threads.
  • Read other people's messages before posting your own to avoid simply duplicating what has already been said.
  • Use a clear subject that describes what your message is about.
  • Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
  • If you want replies to your comments sent to you, consider logging in or creating an account.

If you are having a problem with accounts or comment posting, please yell for help.