Security update for python-python-gnupg SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1722-1 Final 1 1 2018-06-16T08:19:15Z current 2018-06-16T08:19:15Z 2018-06-16T08:19:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-python-gnupg This update for python-python-gnupg to version 0.4.3 fixes the following issues: The following security vulnerabilities were addressed: - Sanitize diagnostic output of the original file name in verbose mode (CVE-2018-12020 boo#1096745) The following other changes were made: - Add --no-verbose to the gpg command line, in case verbose is specified is gpg.conf. - Add expect_passphrase password for use on GnuPG >= 2.1 when passing passphrase to gpg via pinentry - Provide a trust_keys method to allow setting the trust level for keys - When the gpg executable is not found, note the path used in the exception message - Make error messages more informational The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00033.html E-Mail link for openSUSE-SU-2018:1722-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 python-python-gnupg-0.4.3-lp150.2.3.1 python2-python-gnupg-0.4.3-lp150.2.3.1 python3-python-gnupg-0.4.3-lp150.2.3.1 python-python-gnupg-0.4.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 python2-python-gnupg-0.4.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 python3-python-gnupg-0.4.3-lp150.2.3.1 as a component of openSUSE Leap 15.0 mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. CVE-2018-12020 openSUSE Leap 15.0:python-python-gnupg-0.4.3-lp150.2.3.1 openSUSE Leap 15.0:python2-python-gnupg-0.4.3-lp150.2.3.1 openSUSE Leap 15.0:python3-python-gnupg-0.4.3-lp150.2.3.1 important Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00033.html https://www.suse.com/security/cve/CVE-2018-12020.html CVE-2018-12020 https://bugzilla.suse.com/1096745 SUSE Bug 1096745 https://bugzilla.suse.com/1101134 SUSE Bug 1101134