DEBIAN-CVE-2018-12020

DEBIAN-CVE-2018-12020 PUBLISHED CVSS 7.5 HIGH

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products

Vendor	Product	Versions
Debian:11	gnupg2	0, 0, 0
Debian:11	enigmail	0, 0, 0
Debian:13	gnupg2	0, 0, 0
Debian:13	gnupg1	0, 0, 0
Debian:14	gnupg2	0, 0, 0
Debian:11	gnupg1	0, 0, 0
Debian:12	gnupg2	0, 0, 0
Debian:14	gnupg1	0, 0, 0
Debian:12	gnupg1	0, 0, 0

Timeline

Jun 8, 2018 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2018-12020 advisory

Open in Interactive Console →