mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the --status-fd 2 option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Find out more about CVE-2018-12020 from the MITRE-CVE dictionary and NIST NVD
Login may be required to access defects or downloads.
Product Name | Status | Defect | Fixed | Downloads |
---|