Your message dated Fri, 21 Mar 2025 18:00:01 +0100
with message-id <[email protected]>
and subject line Re: Bug#1100990: gnupg2: CVE-2025-30258
has caused the Debian Bug report #1100990,
regarding gnupg2: CVE-2025-30258
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1100990: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100990
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnupg2
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for gnupg2.
CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."
https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html
https://dev.gnupg.org/T7527
https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-30258
https://www.cve.org/CVERecord?id=CVE-2025-30258
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 2.2.46-5
On 2025-03-21 Moritz Mühlenhoff <[email protected]> wrote:
> Source: gnupg2
> X-Debbugs-CC: [email protected]
> Severity: important
> Tags: security
> Hi,
> The following vulnerability was published for gnupg2.
> CVE-2025-30258[0]:
> | In GnuPG before 2.5.5, if a user chooses to import a certificate
> | with certain crafted subkey data that lacks a valid backsig or that
> | has incorrect usage flags, the user loses the ability to verify
> | signatures made from certain other signing keys, aka a "verification
> | DoS."
> https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html
> https://dev.gnupg.org/T7527
> https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
[...]
This is fixed in testing, sid and experimental, previous versions
including oldstable are affected. Please not that the closing commit
introduced a regression plus which needs another commit plus debugging
this found a double-free (third patch).
https://dev.gnupg.org/T7547
See https://gitlab.com/freepg/gnupg/-/merge_requests/18 and
https://gitlab.com/freepg/gnupg/-/merge_requests/22
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--- End Message ---