Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday June 13, @10:43AM   Printer-friendly
from the oops,my-bad dept.

If you're a developer relying on GnuPG, check upstream for an update that plugs an input sanitisation bug.

The short version, given in CVE-2018-12020, is that mainproc.c mishandles the filename, and as a result, an attacker can spoof the output it sends to other programs.

“For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes”, the Mitre advisory states.

GnuPG maintainer Werner Koch explained in more detail in this advisory.

The ability to include the input file name in a signed/encrypted message is part of the OpenPGP protocol, so he[sic] recipient can see what file is being decrypted. The bug is that the file name included for display doesn't get sanitised.

As a result, an attacker can include commands in a fake filename, because the filename “may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages”, Koch's note said.

[...] Koch attributed the discovery to Marcus Brinkmann, and Brinkmann had one complaint about how things were handled, as he wrote to the OSS-sec mailing list: "I tried to disclose this responsibly with Werner Koch (and in coordination with other affected projects), but within two hours he did a unilateral full disclosure without getting back to me."


Original Submission

 
Display Options Threshold/Breakthrough Reply to Comment Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Wednesday June 13, @01:37PM (1 child)

    by Anonymous Coward on Wednesday June 13, @01:37PM (#692324)

    This one is actually a completely valid filename that the terminal interprets in a way that causes the problem.

    If you're viewing it on anything other than a terminal, it isn't a problem.
    If you're viewing it on a hard-copy terminal, the problem is there, but the attempt to abuse it becomes obvious.

    Should every program be aware of every weird terminal that was ever made?

    (And why are command line programs still using character codes to control a terminal emulator rather than having an API for everything outside text, tab and newline?)

    Starting Score:    0  points
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Thursday June 14, @12:02AM

    by Anonymous Coward on Thursday June 14, @12:02AM (#692613)

    If you're viewing it on anything other than a terminal, it isn't a problem.

    This is not quite true, because the filename might still contain newlines and text that looks like gpg status lines. The problem is that some programs run gpg and then parse its output, and they might get confused into thinking a signature verification was successful when, in fact, it was not.

    The impact is still pretty low because programs using the library interface are unaffected. The gpgv command is also unaffected.