Security News > 2018 > June > Vulnerability in GnuPG allowed digital signature spoofing for decades

Vulnerability in GnuPG allowed digital signature spoofing for decades
2018-06-15 16:31

A vulnerability affecting GnuPG has made some of the widely used email encryption software vulnerable to digital signature spoofing for many years. The list of affected programs includes Enigmail and GPGTools. About the vulnerability (CVE-2018-12020) CVE-2018-12020, dubbed “SigSpoof” by Marcus Brinkmann, the researcher which found it, arises from “weak design choices.” “The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “–status-fd 2” option, which … More → The post Vulnerability in GnuPG allowed digital signature spoofing for decades appeared first on Help Net Security.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/ZE6_MSoKhk0/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2018-06-08 CVE-2018-12020 Use of Incorrectly-Resolved Name or Reference vulnerability in multiple products
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option.
network
low complexity
redhat canonical debian gnupg CWE-706
5.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Gnupg 4 6 22 12 3 43
Digital 3 0 3 4 1 8