gnupg2-2.0.22-5.el7

エラータID: AXSA:2018-3256:01

Release date: 
Thursday, July 12, 2018 - 04:52
Subject: 
gnupg2-2.0.22-5.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards.

Security Fix(es):

* gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-12020
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Solution: 

Update packages.

CVEs: 
CVE-2018-12020
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Additional Info: 

N/A

Download: 

SRPMS
  1. gnupg2-2.0.22-5.el7.src.rpm
    MD5: f2557d074713883a39aa516245266cb0
    SHA-256: 3486498d18f084e56193d11560ad90275af20c90998e5f4e2750f000e2044947
    Size: 4.10 MB

Asianux Server 7 for x86_64
  1. gnupg2-2.0.22-5.el7.x86_64.rpm
    MD5: 43a7fb6f23383f28724c6715c9ea480b
    SHA-256: b83c99df5d641ae7a5e1f4585775ae0606797a56d968a68886602830f3aae8e1
    Size: 1.49 MB