Debian Security Advisory
DSA-2601-1 gnupg, gnupg2 -- missing input sanitation
- Date Reported:
- 06 Jan 2013
- Affected Packages:
- gnupg, gnupg2
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 697108, Bug 697251.
In Mitre's CVE dictionary: CVE-2012-6085. - More information:
-
KB Sriram discovered that GnuPG, the GNU Privacy Guard did not sufficiently sanitise public keys on import, which could lead to memory and keyring corruption.
The problem affects both version 1, in the
gnupg
package, and version two, in thegnupg2
package.For the stable distribution (squeeze), this problem has been fixed in version 1.4.10-4+squeeze1 of gnupg and version 2.0.14-2+squeeze1 of gnupg2.
For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 1.4.12-7 of gnupg and version 2.0.19-2 of gnupg2.
We recommend that you upgrade your gnupg and/or gnupg2 packages.