On 12/29/25 04:51, Werner Koch wrote: >> Item 5: Memory Corruption in ASCII-Armor Parsing >> >> This is a serious memory-safety error in GPG. > > Yes, and actually the only serious bug from their list. This one > (T7906) was fixed in the repo on November 4 (T7906) and released with > 2.5.14 on 2025-11-19: > > * gpg: Fix possible memory corruption in the armor parser. [T7906] > > and in the ExtendedLTS version 2.2.51 already on: 2025-10-28: > > * gpg: Fix possible memory corruption in the armor parser. > [rG1e929abd20] > > Another release of 2.4 is still pending but given that its end-of-life is > in 6 months, it would anyway better to switch to 2.5. > > Whether this bug is really exploitable is still questionable but of > course we decided to fix that. Thus the claim by Demi Marie "one of > which allows remote code execution. [All are zero-days to the best of > my knowledge.]" is over the top. Even the report marks this bug as a > "may": > > Impact > While this may allow remote code execution (RCE), it definitively > causes memory corruption. > > Good research.
I wasn't aware of the fix commits. The fixed bugs are indeed not zero-day vulnerabilities from an upstream perspective. They are, however, zero-day vulnerabilities for many distro users. In particular, Fedora 42, 43, and Rawhide do not have the fixes. While upstream did use the word "may", it also states: > From here it is a challenge in memory corruption exploitation > with a very large space of reachable primitives. I concluded from this that exploitation is just a matter of effort. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
