diff options
author | Werner Koch <wk@gnupg.org> | 2018-06-08 10:45:21 +0200 |
---|---|---|
committer | DongHun Kwak <dh0128.kwak@samsung.com> | 2021-02-10 12:29:28 +0900 |
commit | caeca3573547ae6b3527cd39f7e3d5ab64dae4a2 (patch) | |
tree | f576418b76b344f7801ff03f2029a7f3bf509cf7 | |
parent | d39c9971f0b15ef705cedb1902840efbffb35526 (diff) | |
download | gpg2-tizen_6.5.tar.gz gpg2-tizen_6.5.tar.bz2 gpg2-tizen_6.5.zip |
[CVE-2018-12020] gpg: Sanitize diagnostic with the original file name.tizen_6.5.m2_releasesubmit/tizen_6.5/20211028.163401submit/tizen/20210210.034405accepted/tizen/unified/20210215.130925accepted/tizen/6.5/unified/20211029.013135tizen_6.5accepted/tizen_6.5_unified
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic. The mention CVE is about using this to inject
status-fd lines into the stderr output. Other harm good as well be
done. Note that GPGME based applications are not affected because
GPGME does not fold status output into stderr.
Change-Id: I1cb2302e4584183dddf99906d8a218cd824e4117
CVE-id: CVE-2018-12020
GnuPG-bug-id: 4012
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
-rw-r--r-- | g10/mainproc.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/g10/mainproc.c b/g10/mainproc.c index 551ab58..df84ef2 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -622,7 +622,15 @@ proc_plaintext( CTX c, PACKET *pkt ) if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); else if( opt.verbose ) - log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name); + { + /* We don't use print_utf8_buffer because that would require a + * string change which we don't want in 2.2. It is also not + * clear whether the filename is always utf-8 encoded. */ + char *tmp = make_printable_string (pt->name, pt->namelen, 0); + log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); + xfree (tmp); + } + free_md_filter_context( &c->mfx ); if (gcry_md_open (&c->mfx.md, 0, 0)) BUG (); |