Opened 11 months ago
Closed 11 months ago
New point version.
Upstream has marked as critical. Marking as highest priority.
We are pleased to announce the availability of a new GnuPG release:
version 2.2.23. This version fixes a *critical security bug* in
versions 2.2.21 and 2.2.22.
These versions are affected:
- GnuPG 2.2.21 (released 2020-07-09)
- GnuPG 2.2.22 (released 2020-08-27)
- Gpg4win 3.1.12 (released 2020-07-24)
All other versions are not affected.
Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug. Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker. The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.
Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.
A CVE-id has not yet been assigned. We track this bug at
If GnuPG version 2.2.21 or 2.2.22 is in use please update ASAP to
If you are using an older version or a beta of version 2.3 no immediate
action is required.
If you are using Gpg4win 3.1.12 or GnuPG VS-Desktop 3.1.12 you may
either wait for a fixed release which we will provide very soon or
install GnuPG version 2.2.23 on top.
If installation of a new version is not possible, applying the patch
is also sufficient.
The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.
GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories. GnuPG itself is a command line tool with features for easy
integration with other applications. The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages. A wealth of frontend applications and libraries
making use of GnuPG are available. As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.
GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.
Noteworthy changes in version 2.2.23
* gpg: Fix AEAD preference list overflow. [#5050]
* gpg: Fix a possible segv in the key cleaning code.
* gpgsm: Fix a minor RFC2253 parser bug. [#5037]
* scdaemon: Fix a PIN verify failure on certain OpenPGP card
implementations. Regression in 2.2.22. [#5039]
* po: Fix bug in the Hungarian translation. Updates for the Czech,
Polish, and Ukrainian translations.
The GnuPG 2.2.22 notes still need to be put in here
CVE-2020-25125 was assigned
Fixed at revision 23688.
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2021 Gerard Beekmans.