File gnupg-CVE-2018-12020.patch of Package gpg2.25113

Overview Repositories Revisions Requests Users Attributes Meta

File gnupg-CVE-2018-12020.patch of Package gpg2.25113

commit 210e402acd3e284b32db1901e43bf1470e659e49
Author: Werner Koch <wk@gnupg.org>
Date:   Fri Jun 8 10:45:21 2018 +0200

gpg: Sanitize diagnostic with the original file name.
    
    * g10/mainproc.c (proc_plaintext): Sanitize verbose output.
    --
    
    This fixes a forgotten sanitation of user supplied data in a verbose
    mode diagnostic.  The mention CVE is about using this to inject
    status-fd lines into the stderr output.  Other harm good as well be
    done.  Note that GPGME based applications are not affected because
    GPGME does not fold status output into stderr.
    
    CVE-id: CVE-2018-12020
    GnuPG-bug-id: 4012
    (cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)

Index: gnupg-2.0.24/g10/mainproc.c
===================================================================
--- gnupg-2.0.24.orig/g10/mainproc.c	2018-06-11 15:23:21.108869121 +0200
+++ gnupg-2.0.24/g10/mainproc.c	2018-06-11 15:24:57.154457241 +0200
@@ -622,7 +622,15 @@ proc_plaintext( CTX c, PACKET *pkt )
     if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
 	log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
     else if( opt.verbose )
-	log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
+    {
+      /* We don't use print_utf8_buffer because that would require a
+       * string change which we don't want in 2.2.  It is also not
+       * clear whether the filename is always utf-8 encoded.  */
+      char *tmp = make_printable_string (pt->name, pt->namelen, 0);
+      log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
+      xfree (tmp);
+    }
+ 
     free_md_filter_context( &c->mfx );
     if (gcry_md_open (&c->mfx.md, 0, 0))
       BUG ();

Places

File gnupg-CVE-2018-12020.patch of Package gpg2.25113

Places