DescriptionGnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs472928

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg2 (PTS)stretch2.1.18-8~deb9u4fixed
stretch (security)2.1.18-8~deb9u2fixed
bullseye, sid2.2.27-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupgsourcesarge(not affected)
gnupgsourceetch(not affected)
gnupgsource(unstable)(not affected)
gnupg2sourcesarge(not affected)
gnupg2sourceetch(not affected)


- gnupg <not-affected> (Only 1.4.8 is affected)
The next upload was 1.4.9-1, so no vulnerable version was ever in the
[etch] - gnupg <not-affected> (Only 1.4.8 is affected)
[sarge] - gnupg <not-affected> (Only 1.4.8 is affected)
[etch] - gnupg2 <not-affected> (Only 2.0.8 is affected)
[sarge] - gnupg2 <not-affected> (Only 2.0.8 is affected)

Search for package or bug name: Reporting problems