USN-3675-1

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/notices/USN-3675-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3675-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-3675-1
Upstream
Related
Published
2018-06-11T21:53:17.772762Z
Modified
2025-09-08T16:36:23Z
Summary
gnupg, gnupg2 vulnerabilities
Details

Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the status of the cryptographic operation reported by GnuPG. (CVE-2018-12020)

Lance Vick discovered that GnuPG did not enforce configurations where key certification required an offline primary Certify key. An attacker with access to a signing subkey could generate certifications that appeared to be valid. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-9234)

References

Affected packages

Ubuntu:14.04:LTS / gnupg

Package

Name
gnupg
Purl
pkg:deb/ubuntu/gnupg@1.4.16-1ubuntu2.5?arch=source&distro=trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.16-1ubuntu2.5

Affected versions

1.*

1.4.14-1ubuntu2
1.4.15-1.1ubuntu1
1.4.15-1.1ubuntu2
1.4.15-2ubuntu1
1.4.16-1ubuntu1
1.4.16-1ubuntu2
1.4.16-1ubuntu2.1
1.4.16-1ubuntu2.3
1.4.16-1ubuntu2.4

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.4.16-1ubuntu2.5",
            "binary_name": "gnupg"
        },
        {
            "binary_version": "1.4.16-1ubuntu2.5",
            "binary_name": "gnupg-curl"
        },
        {
            "binary_version": "1.4.16-1ubuntu2.5",
            "binary_name": "gpgv"
        }
    ],
    "availability": "No subscription required"
}

Ubuntu:16.04:LTS / gnupg

Package

Name
gnupg
Purl
pkg:deb/ubuntu/gnupg@1.4.20-1ubuntu3.2?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.20-1ubuntu3.2

Affected versions

1.*

1.4.18-7ubuntu1
1.4.19-6ubuntu1
1.4.20-1ubuntu1
1.4.20-1ubuntu2
1.4.20-1ubuntu3
1.4.20-1ubuntu3.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.4.20-1ubuntu3.2",
            "binary_name": "gnupg"
        },
        {
            "binary_version": "1.4.20-1ubuntu3.2",
            "binary_name": "gnupg-curl"
        },
        {
            "binary_version": "1.4.20-1ubuntu3.2",
            "binary_name": "gpgv"
        }
    ],
    "availability": "No subscription required"
}

Ubuntu:18.04:LTS / gnupg2

Package

Name
gnupg2
Purl
pkg:deb/ubuntu/gnupg2@2.2.4-1ubuntu1.1?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.4-1ubuntu1.1

Affected versions

2.*

2.1.15-1ubuntu8
2.2.4-1ubuntu1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "dirmngr"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gnupg"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gnupg-agent"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gnupg-l10n"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gnupg-utils"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gnupg2"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpg"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpg-agent"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpg-wks-client"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpg-wks-server"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpgconf"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpgsm"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpgv"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpgv-static"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpgv-win32"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "gpgv2"
        },
        {
            "binary_version": "2.2.4-1ubuntu1.1",
            "binary_name": "scdaemon"
        }
    ],
    "availability": "No subscription required"
}