CVE-2008-1530

NameCVE-2008-1530
DescriptionGnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs472928

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg2 (PTS)bullseye (security), bullseye2.2.27-2+deb11u2fixed
bookworm2.2.40-1.1fixed
sid, trixie2.2.45-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupgsourcesarge(not affected)
gnupgsourceetch(not affected)
gnupgsource(unstable)(not affected)
gnupg2sourcesarge(not affected)
gnupg2sourceetch(not affected)
gnupg2source(unstable)2.0.9-1472928

Notes

- gnupg <not-affected> (Only 1.4.8 is affected)
The next upload was 1.4.9-1, so no vulnerable version was ever in the
archive
[etch] - gnupg <not-affected> (Only 1.4.8 is affected)
[sarge] - gnupg <not-affected> (Only 1.4.8 is affected)
[etch] - gnupg2 <not-affected> (Only 2.0.8 is affected)
[sarge] - gnupg2 <not-affected> (Only 2.0.8 is affected)

Search for package or bug name: Reporting problems