The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. The displayed file name is not sanitized and as such may include line feeds or other control characters. This can be used to inject terminal control sequences into the out and, worse, to fake the so-called status messages. The suggested solution is to update to GnuPG 2.2.8 or a vendor provided update.”]
Source: https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html