CVE-2007-1263

Publication date 6 March 2007

Last updated 17 July 2025

Ubuntu priority

GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg	9.10 karmic	Fixed 1.4.6-1ubuntu2
	9.04 jaunty	Fixed 1.4.6-1ubuntu2
	8.10 intrepid	Fixed 1.4.6-1ubuntu2
	8.04 LTS hardy	Fixed 1.4.6-1ubuntu2
	7.10 gutsy	Fixed 1.4.6-1ubuntu2
	7.04 feisty	Fixed 1.4.6-1ubuntu2
	6.10 edgy	Fixed 1.4.3-2ubuntu3.3
	6.06 LTS dapper	Fixed 1.4.2.2-1ubuntu2.5
gnupg2	9.10 karmic	Fixed 2.0.3-1ubuntu1
	9.04 jaunty	Fixed 2.0.3-1ubuntu1
	8.10 intrepid	Fixed 2.0.3-1ubuntu1
	8.04 LTS hardy	Fixed 2.0.3-1ubuntu1
	7.10 gutsy	Fixed 2.0.3-1ubuntu1
	7.04 feisty	Fixed 2.0.3-1ubuntu1
	6.10 edgy	Fixed 1.9.21-0ubuntu5.3
	6.06 LTS dapper	Ignored end of life
gpgme1.0	9.10 karmic	Fixed 1.1.2-2ubuntu2
	9.04 jaunty	Fixed 1.1.2-2ubuntu2
	8.10 intrepid	Fixed 1.1.2-2ubuntu2
	8.04 LTS hardy	Fixed 1.1.2-2ubuntu2
	7.10 gutsy	Fixed 1.1.2-2ubuntu2
	7.04 feisty	Fixed 1.1.2-2ubuntu2
	6.10 edgy	Fixed 1.1.2-2ubuntu0.1
	6.06 LTS dapper	Fixed 1.1.0-1ubuntu0.1

References

Related Ubuntu Security Notices (USN)

USN-432-1
GnuPG vulnerability
8 March 2007

USN-432-2
GnuPG2, GPGME vulnerability
13 March 2007

Other references

https://www.cve.org/CVERecord?id=CVE-2007-1263