Brad Bishop | 220d553 | 2018-08-14 00:59:39 +0100 | [diff] [blame] | 1 | From 13f135c7a252cc46cff96e75968d92b6dc8dce1b Mon Sep 17 00:00:00 2001 |
| 2 | From: Werner Koch <wk@gnupg.org> |
| 3 | Date: Fri, 8 Jun 2018 10:45:21 +0200 |
| 4 | Subject: [PATCH] gpg: Sanitize diagnostic with the original file name. |
| 5 | |
| 6 | * g10/mainproc.c (proc_plaintext): Sanitize verbose output. |
| 7 | -- |
| 8 | |
| 9 | This fixes a forgotten sanitation of user supplied data in a verbose |
| 10 | mode diagnostic. The mention CVE is about using this to inject |
| 11 | status-fd lines into the stderr output. Other harm good as well be |
| 12 | done. Note that GPGME based applications are not affected because |
| 13 | GPGME does not fold status output into stderr. |
| 14 | |
| 15 | CVE-id: CVE-2018-12020 |
| 16 | GnuPG-bug-id: 4012 |
| 17 | |
| 18 | Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=13f135c7a252cc46cff96e75968d92b6dc8dce1b] |
| 19 | |
| 20 | Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> |
| 21 | --- |
| 22 | g10/mainproc.c | 9 ++++++++- |
| 23 | 1 file changed, 8 insertions(+), 1 deletion(-) |
| 24 | |
| 25 | diff --git a/g10/mainproc.c b/g10/mainproc.c |
| 26 | index d2ceec2fd..a9da08f74 100644 |
| 27 | --- a/g10/mainproc.c |
| 28 | +++ b/g10/mainproc.c |
| 29 | @@ -851,7 +851,14 @@ proc_plaintext( CTX c, PACKET *pkt ) |
| 30 | if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8)) |
| 31 | log_info (_("Note: sender requested \"for-your-eyes-only\"\n")); |
| 32 | else if (opt.verbose) |
| 33 | - log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name); |
| 34 | + { |
| 35 | + /* We don't use print_utf8_buffer because that would require a |
| 36 | + * string change which we don't want in 2.2. It is also not |
| 37 | + * clear whether the filename is always utf-8 encoded. */ |
| 38 | + char *tmp = make_printable_string (pt->name, pt->namelen, 0); |
| 39 | + log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); |
| 40 | + xfree (tmp); |
| 41 | + } |
| 42 | |
| 43 | free_md_filter_context (&c->mfx); |
| 44 | if (gcry_md_open (&c->mfx.md, 0, 0)) |
| 45 | -- |
| 46 | 2.13.3 |
| 47 | |