mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-06-08T21:00:00
Updated: 2021-12-28T22:06:08
Reserved: 2018-06-07T00:00:00
Link: CVE-2018-12020
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-06-08T21:29:00.237
Modified: 2022-04-18T17:30:54.320
Link: CVE-2018-12020
JSON object: View
Redhat Information
No data.
CWE