Page MenuHome GnuPG
Create Task
Maniphest T4012

Diagnostic is shown with the original filename not being sanitized.
Closed, ResolvedPublic
Actions

Description

This is CVE-2018-12020. Probably affects all versions.

Revisions and Commits

rG GnuPG
rG2326851c6079 gpg: Sanitize diagnostic with the original file name.
rG210e402acd3e gpg: Sanitize diagnostic with the original file name.
rG13f135c7a252 gpg: Sanitize diagnostic with the original file name.

Related Objects
Search...

Event Timeline

werner created this task.Jun 8 2018, 10:52 AM
werner added a commit: rG13f135c7a252: gpg: Sanitize diagnostic with the original file name..Jun 8 2018, 10:54 AM
werner added a commit: rG210e402acd3e: gpg: Sanitize diagnostic with the original file name..
werner added a commit: rG2326851c6079: gpg: Sanitize diagnostic with the original file name..Jun 8 2018, 11:01 AM
werner changed the task status from Open to Testing.Jun 8 2018, 11:09 AM

Fixed in 1.4, 2.2 and master. New releases will be done soon. Note that there is no need for a new gpg4win release because GPGME is not affected.

werner edited projects, added CVE, gnupg (gpg14); removed gnupg (gpg22).Jun 8 2018, 11:12 AM
werner added subscribers: dkg, marcus.

@dkg can you please take this up with Debian and other distros? See the commit for a brief description.

werner edited projects, added gnupg; removed gnupg (gpg14).Jun 8 2018, 12:10 PM

[Better use the gnupg tag. Specific versions end up on the workboard and there may only be one.]

werner added a comment.Jun 8 2018, 3:54 PM

2.2.8. with a fix has been released. Announcement

werner added a comment.Jun 8 2018, 10:11 PM

Unfortunately 2.2.8 does not build with older libgpg-error versions. Commit rG18274db32b5dea7fe8db67043a787578c975de4d should fix this.

werner lowered the priority of this task from Unbreak Now! to High.Jun 9 2018, 11:45 AM
werner added a project: backport.
werner removed a project: backport.
werner renamed this task from Diagnostic with original filename is not sanitized. to Diagnostic is shown with the original filename not beeing sanitized..Jun 11 2018, 9:50 AM
werner mentioned this in T4015: Release 1.4.23.
werner created subtask T4015: Release 1.4.23.
werner renamed this task from Diagnostic is shown with the original filename not beeing sanitized. to Diagnostic is shown with the original filename not being sanitized..Jun 11 2018, 11:23 AM
werner closed this task as Resolved.
werner closed subtask T4015: Release 1.4.23 as Resolved.
werner mentioned this in T4023: gnupg 2.2.8 make errors.Jun 14 2018, 3:57 PM
werner added a comment.Apr 29 2019, 4:14 PM

Timeline:

Request for keyThu, 7 Jun 2018 11:48 +0200
Reply from usThu, 7 Jun 2018 19:05 +0200
Report dateFri, 8 Jun 2018 09:14 +0200
Fix committedFri, 8 Jun 2018 11:09 +0200
Announcement and releaseFri, 8 Jun 2018 15:41 +0200