CVE-2022-34903

NameCVE-2022-34903
DescriptionGnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5174-1
Debian Bugs1014157

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg2 (PTS)buster, buster (security)2.2.12-1+deb10u2fixed
bullseye (security), bullseye2.2.27-2+deb11u2fixed
trixie, bookworm2.2.40-1.1fixed
sid2.2.40-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupg2sourcebuster2.2.12-1+deb10u2DSA-5174-1
gnupg2sourcebullseye2.2.27-2+deb11u2DSA-5174-1
gnupg2source(unstable)2.2.35-31014157

Notes

https://dev.gnupg.org/T6027
https://www.openwall.com/lists/oss-security/2022/06/30/1
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b

Search for package or bug name: Reporting problems