gnupg2-2.0.22-5.el7
エラータID: AXSA:2018-3256:01
The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards.
Security Fix(es):
* gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification (CVE-2018-12020)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2018-12020
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Update packages.
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
N/A
SRPMS
- gnupg2-2.0.22-5.el7.src.rpm
MD5: f2557d074713883a39aa516245266cb0
SHA-256: 3486498d18f084e56193d11560ad90275af20c90998e5f4e2750f000e2044947
Size: 4.10 MB
Asianux Server 7 for x86_64
- gnupg2-2.0.22-5.el7.x86_64.rpm
MD5: 43a7fb6f23383f28724c6715c9ea480b
SHA-256: b83c99df5d641ae7a5e1f4585775ae0606797a56d968a68886602830f3aae8e1
Size: 1.49 MB