Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Jun 2018 20:22:23 +0200
From: Marcus Brinkmann <>
Subject: CVE-2018-12020, CVE-2018-12019 in GnuPG, Enigmails, GPGTools,

I have published my reports:

CVE-2018-12020: The signature verification routine in Enigmail,
GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6
with a “--status-fd 2” option, which allows remote attackers to spoof
arbitrary signatures via the embedded “filename” parameter in OpenPGP
literal data packets, if the user has the verbose option set in their
gpg.conf file.

CVE-2018-12019: The signature verification routine in Enigmail
interprets user ids as status/control messages and does not correctly
keep track of the status of multiple signatures, which allows remote
attackers to spoof arbitrary email signatures via public keys containing
crafted primary user ids.

It would be prudent for developers of GnuPG-based applications to check
for similar issues in their software. I did a lot of due diligence to
check critical infrastructure, but there were several "near misses" that
make me fear that there are still some affected products out there.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.