Bug 1096745 - (CVE-2018-12020) VUL-0: CVE-2018-12020: gpg2,enigmail: Sanitize the diagnostic output of the original file name in verbose mode
(CVE-2018-12020)
VUL-0: CVE-2018-12020: gpg2,enigmail: Sanitize the diagnostic output of the o...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: unspecified
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/207699/
CVSSv3:SUSE:CVE-2018-12020:7.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-08 14:19 UTC by Karol Babioch
Modified: 2021-12-08 10:45 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-06-08 14:19:04 UTC
CVE-2018-12020

Impact
======

All current GnuPG versions are affected on all platforms.

All mail clients and other applications which make use of GPG but are
not utilizing the GPGME library might be affected.

The OpenPGP protocol allows to include the file name of the original
input file into a signed or encrypted message.  During decryption and
verification the GPG tool can display a notice with that file name.  The
displayed file name is not sanitized and as such may include line feeds
or other control characters.  This can be used inject terminal control
sequences into the out and, worse, to fake the so-called status
messages.  These status messages are parsed by programs to get
information from gpg about the validity of a signature and an other
parameters.  Status messages are created with the option "--status-fd N"
where N is a file descriptor.  Now if N is 2 the status messages and the
regular diagnostic messages share the stderr output channel.  By using a
made up file name in the message it is possible to fake status messages.
Using this technique it is for example possible to fake the verification
status of a signed mail.

Although GnuPG takes great care to sanitize all diagnostic and status
output, the case at hand was missed but finally found and reported by
Marcus Brinkmann.  CVE-2018-12020 was assigned to this bug; GnuPG tracks
it at <https://dev/gnupg.org/T4012>.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12020
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html
https://dev.gnupg.org/T4012
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=13f135c7a252cc46cff96e75968d92b6dc8dce1b
Comment 1 Swamp Workflow Management 2018-06-08 15:10:10 UTC
This is an autogenerated message for OBS integration:
This bug (1096745) was mentioned in
https://build.opensuse.org/request/show/615264 Factory / gpg2
Comment 5 Swamp Workflow Management 2018-06-12 14:11:08 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-06-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64055
Comment 6 Swamp Workflow Management 2018-06-12 14:12:35 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-06-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64057
Comment 7 Andreas Stieger 2018-06-13 19:09:09 UTC
http://seclists.org/oss-sec/2018/q2/187

CVE-2018-12020: The signature verification routine in Enigmail 2.0.6.1,
GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6
with a “--status-fd 2” option, which allows remote attackers to spoof
arbitrary signatures via the embedded “filename” parameter in OpenPGP
literal data packets, if the user has the verbose option set in their
gpg.conf file.

https://neopg.io/blog/gpg-signature-spoof/

from https://www.enigmail.net/index.php/en/download/changelog#enig2.0.7

Spoofing of Email signatures I (CVE-2018-12020): GnuPG 2.2.8 fixed a security bug that allows remote attackers to spoof arbitrary email signatures via the embedded "--filename" parameter in OpenPGP literal data packets. This release of Enigmail prevents the exploit for all versions of GnuPG, i.e. also if GnuPG is not updated.
Comment 9 Swamp Workflow Management 2018-06-13 20:20:10 UTC
This is an autogenerated message for OBS integration:
This bug (1096745) was mentioned in
https://build.opensuse.org/request/show/616614 15.0+42.3+Backports:SLE-12 / enigmail
https://build.opensuse.org/request/show/616618 15.0 / python-python-gnupg
Comment 10 Karol Babioch 2018-06-14 08:51:38 UTC
Official announcement:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

Reproducer:

If you want to test whether you are affected by this bug, remove the
indentation from the following block

  -----BEGIN PGP MESSAGE-----
  
  jA0EBwMC1pW2pqoYvbXl0p4Bo5z/v7PXy7T1BY/KQxWaE9uTBRbf4no64/+5YYzX
  +BVNqP+82aBFYXEsD9x1vGuYwofQ4m/q/WcQDEPXhRyzU+4yiT3EOuG7sTTaQR3b
  8xAn2Qtpyq5tO7k9CN6dasaXKSduXVmFUqzgU+W9WaTLOKNDFw6FYV3lnOoPtFcX
  rzhh2opkX9Oh/5DUkZ6YmUIX3j/A0z+59/qNO1i2hQ==
  =zswl
  -----END PGP MESSAGE-----

and pass to this pipeline

  gpg --no-options -vd 2>&1 | grep '^\[GNUPG:] INJECTED'  

If you get some output you are using a non-fixed version.
Comment 14 Swamp Workflow Management 2018-06-15 10:11:26 UTC
SUSE-SU-2018:1696-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1096745
CVE References: CVE-2018-12020
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    gpg2-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    gpg2-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    gpg2-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gpg2-2.0.9-25.33.42.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    gpg2-2.0.9-25.33.42.3.1
Comment 15 Swamp Workflow Management 2018-06-15 16:08:57 UTC
SUSE-SU-2018:1698-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1096745
CVE References: CVE-2018-12020
Sources used:
SUSE OpenStack Cloud 7 (src):    gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Server 12-LTSS (src):    gpg2-2.0.24-9.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    gpg2-2.0.24-9.3.1
SUSE Enterprise Storage 4 (src):    gpg2-2.0.24-9.3.1
SUSE CaaS Platform ALL (src):    gpg2-2.0.24-9.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    gpg2-2.0.24-9.3.1
Comment 16 Swamp Workflow Management 2018-06-15 19:11:34 UTC
openSUSE-SU-2018:1706-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096745,1097525
CVE References: CVE-2018-12019,CVE-2018-12020
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    enigmail-2.0.7-18.1
Comment 17 Swamp Workflow Management 2018-06-15 19:13:09 UTC
openSUSE-SU-2018:1708-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1096745,1097525
CVE References: CVE-2018-12019,CVE-2018-12020
Sources used:
openSUSE Leap 42.3 (src):    enigmail-2.0.7-21.1
openSUSE Leap 15.0 (src):    enigmail-2.0.7-lp150.2.12.1
Comment 18 Swamp Workflow Management 2018-06-16 13:12:42 UTC
openSUSE-SU-2018:1722-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1096745
CVE References: CVE-2018-12020
Sources used:
openSUSE Leap 15.0 (src):    python-python-gnupg-0.4.3-lp150.2.3.1
Comment 19 Swamp Workflow Management 2018-06-16 13:13:59 UTC
openSUSE-SU-2018:1724-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1096745
CVE References: CVE-2018-12020
Sources used:
openSUSE Leap 42.3 (src):    gpg2-2.0.24-9.3.1
openSUSE Leap 15.0 (src):    gpg2-2.2.5-lp150.3.3.1
Comment 20 Swamp Workflow Management 2018-06-26 13:08:21 UTC
SUSE-SU-2018:1814-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1096745
CVE References: CVE-2018-12020
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    gpg2-2.2.5-4.3.1
Comment 22 Marcus Meissner 2018-08-07 16:06:13 UTC
released now
Comment 23 Swamp Workflow Management 2018-08-07 19:26:10 UTC
SUSE-SU-2018:2243-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1094781,1096745,1097525
CVE References: CVE-2018-12019,CVE-2018-12020
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    enigmail-2.0.7-3.7.2
Comment 24 Swamp Workflow Management 2018-10-18 16:11:54 UTC
SUSE-SU-2018:1698-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1096745
CVE References: CVE-2018-12020
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    gpg2-2.0.24-9.3.1