|Description||GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|gnupg2 (PTS)||buster, buster (security)||2.2.12-1+deb10u2||fixed|
|bullseye (security), bullseye||2.2.27-2+deb11u2||fixed|
|sid, trixie, bookworm||2.2.40-1.1||fixed|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
- gnupg <not-affected> (Only 1.4.8 is affected)
The next upload was 1.4.9-1, so no vulnerable version was ever in the
[etch] - gnupg <not-affected> (Only 1.4.8 is affected)
[sarge] - gnupg <not-affected> (Only 1.4.8 is affected)
[etch] - gnupg2 <not-affected> (Only 2.0.8 is affected)
[sarge] - gnupg2 <not-affected> (Only 2.0.8 is affected)