Search CVE reports
1 – 10 of 39 results
Some fixes available 5 of 7
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain...
1 affected package
gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg2 | Fixed | Fixed | Fixed | Needs evaluation |
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
2 affected packages
gnupg, gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | — | Not in release | Not in release | Not in release |
| gnupg2 | — | Fixed | Fixed | Fixed |
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
2 affected packages
gnupg2, gnupg
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg2 | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
| gnupg | — | Not in release | Not in release | Not in release |
GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow...
1 affected package
gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg2 | — | — | Not affected | Not affected |
Some fixes available 5 of 12
python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be...
1 affected package
python-gnupg
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| python-gnupg | Not affected | Vulnerable | Vulnerable | Fixed |
Some fixes available 1 of 20
A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.
3 affected packages
gnupg, gnupg2, gnupg1
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | Not in release | Not in release | Not in release | Not in release |
| gnupg2 | Not affected | Not affected | Not affected | Fixed |
| gnupg1 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
Some fixes available 1 of 12
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network....
3 affected packages
gnupg, gnupg2, sks
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | Not in release | Not in release | Not in release | Not in release |
| gnupg2 | Not affected | Not affected | Not affected | Fixed |
| sks | Not affected | Not affected | Vulnerable | Vulnerable |
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
2 affected packages
gnupg, gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | — | — | — | Not in release |
| gnupg2 | — | — | — | Fixed |
cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic...
3 affected packages
gnupg, libgcrypt11, libgcrypt20
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| gnupg | — | — | — | Not in release |
| libgcrypt11 | — | — | — | Not in release |
| libgcrypt20 | — | — | — | Not affected |
Some fixes available 24 of 41
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the...
5 affected packages
enigmail, gnupg, gnupg1, python-gnupg, gnupg2
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| enigmail | Not in release | Vulnerable | Vulnerable | Vulnerable |
| gnupg | Not in release | Not in release | Not in release | Not in release |
| gnupg1 | Not affected | Not affected | Not affected | Vulnerable |
| python-gnupg | Not affected | Not affected | Not affected | Fixed |
| gnupg2 | Fixed | Fixed | Fixed | Fixed |