ESB-2018.1722 - [Win][UNIX/Linux][Debian] gnupg: Provide misleading information - Remote/unauthenticated 2018-06-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1722
                 gnupg2, gnupg1 and gnupg security update
                               11 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           gnupg2
                   gnupg1
                   gnupg
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12020  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4222
   http://www.debian.org/security/2018/dsa-4223
   http://www.debian.org/security/2018/dsa-4224

Comment: This bulletin contains three (3) Debian security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running gnupg2, gnupg1 and gnupg check for an updated version of the
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4222-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gnupg2
CVE ID         : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 2.0.26-6+deb8u2.

For the stable distribution (stretch), this problem has been fixed in
version 2.1.18-8~deb9u2.

We recommend that you upgrade your gnupg2 packages.

For the detailed security status of gnupg2 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+MZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Sj/Q//S9O9UEDpOL16FPrsYWFohmcoDPspWHyACdFxoGOxJTZxDjDS6IsLuLu7
uSsSNyW1nQt1ghxuKO+XGEHfxMiPh54BdGf1w4PtUUw/1m9uQrlMsuyYGo2O4lMx
NvpxN+IVKbKhDYHknH4f59KBv4cVZuLK6R2vuAidUmEoY0H+IEWmwdQxqRommUNh
HYziSdcQgFEqWZ6HThqWPqJbvTHk3rX4viezex6TxfXBX88RgfHgxSLEV7xkJkHi
X2oM3kEylacb53p3wlXrtpvTwXheIPvquIgOF8LIRGlMk2Hjz+I0jVYPZQL9Pz87
+PmJ2pmTtYFK6FI3LZcxs2JOuUKKEOSv7U7WkRb40tSDlY0mD1DgGghiYuL7tPid
NbBRIKsrkvDGfvb1nL54QJ4Ej1J7yeYglxIoF7DW9l7bWgyIZfaIU0VesU9UpQUq
YX/iQi1Pt/y6ZCuRlAF2Xg9VLKW/94HWYdD8KKOc8113JeJnlcEOmYDBjbsIdSuK
R3hHVoKhZD+oDA2Hww/pDKeow0/9F6Zd/pxSZXxVcVvcT59y7T9XW18f0efZcBHf
T2V019/YkYN2RasgDjjw1r1OOjitQn5ktvbdZfNW9BXq8NJiwLd99A3coLZx1GTv
+Fl4up+v2d/zUKSXtvLfUyWjqem/keT6PKSBN4g9a5VyKLOj3Js=
=2Ci/
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4223-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gnupg1
CVE ID         : CVE-2018-12020
Debian Bug     : 901088

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the stable distribution (stretch), this problem has been fixed in
version 1.4.21-4+deb9u1.

We recommend that you upgrade your gnupg1 packages.

For the detailed security status of gnupg1 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg1

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+M9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q1wg/+LcbFthhjHEXY0itTJrfbXHvqR8JQ7OzEA+yRybho71ZM3LwjFO2Pl9j0
oNbn20soT5uX1MfP4sORaiOMIUKh2k4zbYQrS4BRV7TWoae3zmHQEhDFfhEhM17O
JMnh3NqVs1NpNe7gn1+hBQCzlOmNYU3UvmXwCX3P5yyhSuO6isvLfZURHQB8qvmd
RdNZu3nUYI8UfPp1j6wFrdR+rpUUATYy2MHZkD/BbVowk657Bul5Arx/r0QCaH88
ywMGMGvugsVQOdA02cKvCyzXVS/qgVjDsJH2ssDFPI4txKB3hEgYTBoKyoFpzHqc
I7BOuDmo6/FpUuuruQcRPQk+5BDeiW2jazwf8WoCXYocwOAw7FTTLTEkZZm2Ce+c
jtM7Bvhz3cXoQsTtze/t/BTWZuUWATsiRPgJSyKF2kPFwZIWhLu2BWF8LTGliX9M
8uXxi4ml1v2ISLlo8BEkETBrP+m77rKqfph0uV3sySXBv2qUDfJX2xNF/ig4eMfy
zlIaZgv82ZIf+mCD0/Ji0HmsKG3C8RxEhwwr4R/oG7Q7qr07LMjKZhRLIE2ZkCC2
XM8IAdJLIzJckllI8mkPmm0GTZ6lX+BRrUSUKxKxY94QKNLRFzK7mMMWhJq3gMX8
PaYsTU67ZrDd4WPubFNzHC6DP+Fd4YZblXd8dyv1uSoe1/pIr78=
=xHpn
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4224-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
June 08, 2018                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gnupg
CVE ID         : CVE-2018-12020

Marcus Brinkmann discovered that GnuGPG performed insufficient
sanitisation of file names displayed in status messages, which could be
abused to fake the verification status of a signed email.

Details can be found in the upstream advisory at
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html

For the oldstable distribution (jessie), this problem has been fixed
in version 1.4.18-7+deb8u5.

We recommend that you upgrade your gnupg packages.

For the detailed security status of gnupg please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gnupg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa+NFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RlwA/+PHaY6JTa53Q9gM9MMbEV9aJ3aXvl3VAvu4EC8Ei/rxZH0kIOO25aL+Yc
DsXwWmLl2FWuwLCRQ2HPsDuWLiNiuo4eAwM3pKg5vovAe4TbGLhd7VaSdTWa+PVj
3WwIgkZvOddPlR7saq48Lcc0taZAZwR1hQCS5bPDUzUhlzc2yMy+pi/oXioTvBxm
xOd4899wWcuRpfiZBss6veONbnf12zq/H3aCJshZrIGKxU8b7Fc+Oyq+QyK4B6sO
zMo134gF1M3HhjUxPjauX9keJe6/EMFHgjwQpA96JkNoKi96wWx31oBBJwHmLhRY
tl0FaXsBuQbZNWDU+QLbH6g2r90uuOsDHK9oY8SKIHN92/s1zW4pv2rbmcmHMPrV
oyabPZL10eH3wGf9NJAGhSO1vHOARdGJ2N3KL1AaIWLNfgXLt8QO+IH7OY3S04Y9
/sw89ojtrwIjcLpQ2DJ56Wd0LU/Jc0pNXUeEjkXthPD2VGKCYZm55yhDA5fKvBqo
m1BeKMN1qf64c40ZXq3uxV8xnt9yaFMXtX9FMZnigS7doiJhcCjggGZvzbIFoWLE
mhsDfST65Sbb9RE8q4V+tl14ssOFsQLhwByl3UzY89GpILU1qwnDyaQ2QgBI4Z18
oDQfpFkwka4Yy0iy8iqdi+DPN/VWBiIoC63ouO9MOU4rA8/VrNY=
=WGe/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWx26fWaOgq3Tt24GAQh0AhAAhjMCR1Qe9LEmTRiD7y3N0mvxdEztlsZ+
qYLoxlRl/URTJT63Mb7T5uLbLsrUCB4nTSL2tyIfF4KVnqPPrl0EnsC/RQs5pZaQ
MQd59hPLhfq+3Y/TdhJAn3ZOTLI/gCERAib3knq6qjVjBQrF208EQLBWMs3g9blD
XYOnOsWWfni7xmJ+35NGxy0Y0MDFyPeN0RhYMwaW0knHxlOPQ4xLICzWrYbiAyWr
6D6I/PIPBS3c79C4oFIbyYwz0cORJnJdVHmSfyNA9a6eSjfH5nSBfrCbNGWxiR8s
JPAx3ebPDyCcGeQhFE9QhR+F8rhuFdxCf0gPDxqjgC5zdTOQsiaofAVGGzLSaow0
0KXB/Iy/b9DXoaCPg89REz+lM0OXnIBUThQGjDT4SAAR2ZpP1mF+LdgAqj9zFzOR
f1rqUkaZRc9/iu9CSgt9WSK2QKdk32ZVbjnfGD03+H1KaJNWzuICf5ifReDXaLew
l8byebYodvj4xNSI3dPJ7l7MjFB0VRVF8jPQe/YXoA8GzxoenteLlNHspM9DyfOF
99xtG47gOco3s/VK9fU1uBKhH06v3RPPfUb3Zy6Sa6KpoKDP6ChDACwhnfBURvmr
baCiOoKsM+u3+mUsZm3twzM61s0d/P3TWj/glbp65dfBwjGLRKXmrdZxU8H4bRYx
Cpj+EeieOdk=
=7S3z
-----END PGP SIGNATURE-----

« Back to bulletins