Slash Boxes

SoylentNews is people

posted by Fnord666 on Wednesday June 13 2018, @10:43AM   Printer-friendly
from the oops,my-bad dept.

If you're a developer relying on GnuPG, check upstream for an update that plugs an input sanitisation bug.

The short version, given in CVE-2018-12020, is that mainproc.c mishandles the filename, and as a result, an attacker can spoof the output it sends to other programs.

“For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes”, the Mitre advisory states.

GnuPG maintainer Werner Koch explained in more detail in this advisory.

The ability to include the input file name in a signed/encrypted message is part of the OpenPGP protocol, so he[sic] recipient can see what file is being decrypted. The bug is that the file name included for display doesn't get sanitised.

As a result, an attacker can include commands in a fake filename, because the filename “may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages”, Koch's note said.

[...] Koch attributed the discovery to Marcus Brinkmann, and Brinkmann had one complaint about how things were handled, as he wrote to the OSS-sec mailing list: "I tried to disclose this responsibly with Werner Koch (and in coordination with other affected projects), but within two hours he did a unilateral full disclosure without getting back to me."

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by realDonaldTrump on Thursday June 14 2018, @12:33AM

    by realDonaldTrump (6614) Subscriber Badge on Thursday June 14 2018, @12:33AM (#692619) Homepage Journal

    The ammolite is so beautiful. And the ladies love it. As you know. But unfortunately Canada has a HUGE trade surplus with my Country. With the USA.

    Trudeau came to see me, Justin from Canada. He said, "no, no, we have no trade deficit with you, we have none. Donald, please." Good-looking guy comes in -- "Donald, we have no trade deficit." He’s very proud because everybody else, you know, we’re getting killed. So, he’s proud. I said, "wrong, Justin, you do." I didn’t even know. I had no idea. I just said, "You’re wrong." You know why? Because we’re so stupid. And I thought they were smart. I said, "you’re wrong, Justin." He said, "nope, we have no trade deficit." I said, "well, in that case, I feel differently," I said, "but I don’t believe it." I sent one of our guys out. His guy, my guy, they went out. I said, "check, because I can’t believe it."

    "Well, sir, you’re actually right. We have no deficit, but that doesn't include energy and timber." Canada, a lot of timber. And when you do, we lose $17 billion a year. It’s incredible!!!

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2