[Secure-testing-team] Bug#697251: gnupg2: gnupg key import memory corruption
Christoph Anton Mitterer
calestyo at scientia.net
Thu Jan 3 03:19:35 UTC 2013
Package: gnupg2
Version: 2.0.19-1
Severity: critical
Tags: security
Justification: root security hole
Hi.
This is a follow up for #697108 and CVE-2012-6085.
While it seems that all world fixes this only for gpg 1.4.x Werner's
bug entry[0,1] implies that 2.x is also affected.
Could you please have a look?
btw: Marking as root security hole, because people may use gpg2 to
e.g. manually verify packages before installing them. Yeah I know,... apt
would use gpg1 where it is already fixed. But better too high severity, than
sorry ;)
Cheers,
Chris.
[0] https://bugs.g10code.com/gnupg/issue1455
[1] https://bugs.g10code.com/gnupg/msg4493
More information about the Secure-testing-team
mailing list