CVE-2008-1530

NameCVE-2008-1530
DescriptionGnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs472928

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg (PTS)jessie (security), jessie1.4.18-7+deb8u5fixed
gnupg2 (PTS)jessie (security), jessie2.0.26-6+deb8u2fixed
stretch2.1.18-8~deb9u4fixed
stretch (security)2.1.18-8~deb9u2fixed
buster2.2.12-1+deb10u1fixed
bullseye, sid2.2.17-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupgsource(unstable)(not affected)
gnupgsourceetch(not affected)
gnupgsourcesarge(not affected)
gnupg2source(unstable)2.0.9-1472928
gnupg2sourceetch(not affected)
gnupg2sourcesarge(not affected)

Notes

- gnupg <not-affected> (Only 1.4.8 is affected)
The next upload was 1.4.9-1, so no vulnerable version was ever in the
archive
[etch] - gnupg <not-affected> (Only 1.4.8 is affected)
[sarge] - gnupg <not-affected> (Only 1.4.8 is affected)
[etch] - gnupg2 <not-affected> (Only 2.0.8 is affected)
[sarge] - gnupg2 <not-affected> (Only 2.0.8 is affected)

Search for package or bug name: Reporting problems