SigSpoof: Spoofing signatures in GnuPG, Enigmail, GPGTools and python-gnupg (CVE-2018-12020)
https://neopg.io/blog/gpg-signature-spoof/ [neopg.io]
2018-06-15 17:31
Some applications call GnuPG with --status-fd 2 such that stderr and the status messages are combined in a single data pipe. These applications try to separate the output lines afterwards based on the line prefix (which is [GNUPG:] for status messages and gpg: for stderr).
GnuPG, with verbose enabled (either directly on the command line or indirectly through the gpg.conf configuration file), prints the “name of the encrypted file” (an obscure feature of OpenPGP under the control of the attacker) to stderr without escaping newline characters.
source: HN