[pkg-gnupg-maint] Bug#1100990: gnupg2: CVE-2025-30258
Moritz Mühlenhoff
jmm at inutil.org
Sat Mar 22 16:16:53 GMT 2025
On Sat, Mar 22, 2025 at 03:15:02PM +0100, Andreas Metzler wrote:
> On 2025-03-21 Moritz Mühlenhoff <jmm at inutil.org> wrote:
> [...]
> > The following vulnerability was published for gnupg2.
>
> > CVE-2025-30258[0]:
> > | In GnuPG before 2.5.5, if a user chooses to import a certificate
> > | with certain crafted subkey data that lacks a valid backsig or that
> > | has incorrect usage flags, the user loses the ability to verify
> > | signatures made from certain other signing keys, aka a "verification
> > | DoS."
> [...]
>
> At first glance this probably does not warrant a DSA and can be fixed
> with a stable update.
Agreed, I'll mark it as no-dsa in the Security Tracker.
Cheers,
Moritz
More information about the pkg-gnupg-maint
mailing list