Page MenuHome GnuPG

Diagnostic is shown with the original filename not being sanitized.
Closed, ResolvedPublic

Description

This is CVE-2018-12020. Probably affects all versions.

Event Timeline

werner changed the task status from Open to Testing.Jun 8 2018, 11:09 AM

Fixed in 1.4, 2.2 and master. New releases will be done soon. Note that there is no need for a new gpg4win release because GPGME is not affected.

werner added subscribers: dkg, marcus.

@dkg can you please take this up with Debian and other distros? See the commit for a brief description.

[Better use the gnupg tag. Specific versions end up on the workboard and there may only be one.]

2.2.8. with a fix has been released. Announcement

Unfortunately 2.2.8 does not build with older libgpg-error versions. Commit rG18274db32b5dea7fe8db67043a787578c975de4d should fix this.

werner lowered the priority of this task from Unbreak Now! to High.Jun 9 2018, 11:45 AM
werner added a project: backport.
werner removed a project: backport.
werner renamed this task from Diagnostic with original filename is not sanitized. to Diagnostic is shown with the original filename not beeing sanitized..Jun 11 2018, 9:50 AM
werner mentioned this in T4015: Release 1.4.23.
werner created subtask T4015: Release 1.4.23.
werner renamed this task from Diagnostic is shown with the original filename not beeing sanitized. to Diagnostic is shown with the original filename not being sanitized..Jun 11 2018, 11:23 AM
werner closed this task as Resolved.
werner closed subtask T4015: Release 1.4.23 as Resolved.

Timeline:

Request for keyThu, 7 Jun 2018 11:48 +0200
Reply from usThu, 7 Jun 2018 19:05 +0200
Report dateFri, 8 Jun 2018 09:14 +0200
Fix committedFri, 8 Jun 2018 11:09 +0200
Announcement and releaseFri, 8 Jun 2018 15:41 +0200