[pkg-gnupg-maint] Bug#1100990: gnupg2: CVE-2025-30258
Moritz Mühlenhoff
jmm at inutil.org
Fri Mar 21 13:23:58 GMT 2025
Source: gnupg2
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for gnupg2.
CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."
https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html
https://dev.gnupg.org/T7527
https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-30258
https://www.cve.org/CVERecord?id=CVE-2025-30258
Please adjust the affected versions in the BTS as needed.
More information about the pkg-gnupg-maint
mailing list