If you're a developer relying on GnuPG, check upstream for an update that plugs an input sanitisation bug.

The short version, given in CVE-2018-12020, is that mainproc.c mishandles the filename, and as a result, an attacker can spoof the output it sends to other programs.

“For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes”, the Mitre advisory states.

GnuPG maintainer Werner Koch explained in more detail in this advisory.

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats READ MORE

The ability to include the input file name in a signed/encrypted message is part of the OpenPGP protocol, so he recipient can see what file is being decrypted. The bug is that the file name included for display doesn't get sanitised.

As a result, an attacker can include commands in a fake filename, because the filename “may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages”, Koch's note said.

The status messages are also parsed by other programs to check the validity of a signature – meaning something like a package manager could be tricked into treating a malicious program as if it were legitimate.

“Status messages are created with the option '--status-fd N' where N is a file descriptor. Now if N is 2 the status messages and the regular diagnostic messages share the stderr output channel. By using a made up file name in the message it is possible to fake status messages”, Koch wrote.

Programs that use GPGME as the crypto engine are safe, he noted (these include Kmail and GpgOL), and GnuPG can be rendered safe with the --status-fd compilation flag set, and the program has to be configured with the --verbose flag set.

Koch attributed the discovery to Marcus Brinkmann, and Brinkmann had one complaint about how things were handled, as he wrote to the OSS-sec mailing list: “I tried to disclose this responsibly with Werner Koch (and in coordination with other affected projects), but within two hours he did a unilateral full disclosure without getting back to me.” ®