Diagnostic is shown with the original filename not being sanitized.
Closed, ResolvedPublic

Description

This is CVE-2018-12020. Probably affects all versions.

werner created this task.Fri, Jun 8, 10:52 AM
werner changed the task status from Open to Testing.Fri, Jun 8, 11:09 AM

Fixed in 1.4, 2.2 and master. New releases will be done soon. Note that there is no need for a new gpg4win release because GPGME is not affected.

werner edited projects, added CVE, gnupg (gpg14); removed gnupg (gpg22).Fri, Jun 8, 11:12 AM
werner added subscribers: dkg, marcus.

@dkg can you please take this up with Debian and other distros? See the commit for a brief description.

werner edited projects, added gnupg; removed gnupg (gpg14).Fri, Jun 8, 12:10 PM

[Better use the gnupg tag. Specific versions end up on the workboard and there may only be one.]

werner added a comment.Fri, Jun 8, 3:54 PM

2.2.8. with a fix has been released. Announcement

Unfortunately 2.2.8 does not build with older libgpg-error versions. Commit rG18274db32b5dea7fe8db67043a787578c975de4d should fix this.

werner lowered the priority of this task from Unbreak Now! to High.Sat, Jun 9, 11:45 AM
werner added a project: backport.
werner removed a project: backport.
werner renamed this task from Diagnostic with original filename is not sanitized. to Diagnostic is shown with the original filename not beeing sanitized..Mon, Jun 11, 9:50 AM
werner mentioned this in T4015: Release 1.4.23.
werner created subtask T4015: Release 1.4.23.
werner renamed this task from Diagnostic is shown with the original filename not beeing sanitized. to Diagnostic is shown with the original filename not being sanitized..
werner closed this task as Resolved.