Security News > 2018 > June > Vulnerability in GnuPG allowed digital signature spoofing for decades
2018-06-15 16:31
A vulnerability affecting GnuPG has made some of the widely used email encryption software vulnerable to digital signature spoofing for many years. The list of affected programs includes Enigmail and GPGTools. About the vulnerability (CVE-2018-12020) CVE-2018-12020, dubbed “SigSpoof” by Marcus Brinkmann, the researcher which found it, arises from “weak design choices.” “The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “–status-fd 2” option, which … More → The post Vulnerability in GnuPG allowed digital signature spoofing for decades appeared first on Help Net Security.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/ZE6_MSoKhk0/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-08 | CVE-2018-12020 | Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. | 7.5 |