#13974 closed enhancement (fixed)

gnupg-2.2.23

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: highest Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Douglas R. Reno, 11 months ago

Priority: normalhighest

Upstream has marked as critical. Marking as highest priority.

Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.2.23.  This version fixes a *critical security bug* in
versions 2.2.21 and 2.2.22.


Impact
======

These versions are affected:

 - GnuPG 2.2.21   (released 2020-07-09)
 - GnuPG 2.2.22   (released 2020-08-27)
 - Gpg4win 3.1.12 (released 2020-07-24)

All other versions are not affected.

Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.

Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug.  Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker.  The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.

Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.

A CVE-id has not yet been assigned.  We track this bug at
https://dev.gnupg.org/T5050


Solution
========

If GnuPG version 2.2.21 or 2.2.22 is in use please update ASAP to
version 2.2.23.

If you are using an older version or a beta of version 2.3 no immediate
action is required.

If you are using Gpg4win 3.1.12 or GnuPG VS-Desktop 3.1.12 you may
either wait for a fixed release which we will provide very soon or
install GnuPG version 2.2.23 on top.

If installation of a new version is not possible, applying the patch
https://dev.gnupg.org/rGaeb8272ca8aad403a4baac33b8d5673719cfd8f0
is also sufficient.


About GnuPG
===========

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.23
====================================

  * gpg: Fix AEAD preference list overflow.  [#5050]

  * gpg: Fix a possible segv in the key cleaning code.

  * gpgsm: Fix a minor RFC2253 parser bug.  [#5037]

  * scdaemon: Fix a PIN verify failure on certain OpenPGP card
    implementations.  Regression in 2.2.22.  [#5039]

  * po: Fix bug in the Hungarian translation.  Updates for the Czech,
    Polish, and Ukrainian translations.

  Release-info: https://dev.gnupg.org/T5045

comment:2 by Douglas R. Reno, 11 months ago

Summary: gnupg-2.2.22gnupg-2.2.23

The GnuPG 2.2.22 notes still need to be put in here

comment:3 by Douglas R. Reno, 11 months ago

CVE-2020-25125 was assigned

comment:4 by Bruce Dubbs, 11 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:5 by Bruce Dubbs, 11 months ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 23688.

Note: See TracTickets for help on using tickets.