DescriptionGnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs472928

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg2 (PTS)buster, buster (security)2.2.12-1+deb10u2fixed
bullseye (security), bullseye2.2.27-2+deb11u2fixed
sid, trixie, bookworm2.2.40-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupgsourcesarge(not affected)
gnupgsourceetch(not affected)
gnupgsource(unstable)(not affected)
gnupg2sourcesarge(not affected)
gnupg2sourceetch(not affected)


- gnupg <not-affected> (Only 1.4.8 is affected)
The next upload was 1.4.9-1, so no vulnerable version was ever in the
[etch] - gnupg <not-affected> (Only 1.4.8 is affected)
[sarge] - gnupg <not-affected> (Only 1.4.8 is affected)
[etch] - gnupg2 <not-affected> (Only 2.0.8 is affected)
[sarge] - gnupg2 <not-affected> (Only 2.0.8 is affected)

Search for package or bug name: Reporting problems