Debian alert DLA-4437-1 (gnupg2)
| From: | "Roberto C. Sánchez" <roberto@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4437-1] gnupg2 security update | |
| Date: | Wed, 14 Jan 2026 11:49:27 -0500 | |
| Message-ID: | <aWfJF3vzECsKky89@localhost> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4437-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Roberto C. Sánchez January 14, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : gnupg2 Version : 2.2.27-2+deb11u3 CVE ID : CVE-2025-68973 Debian Bug : 1124221 Several issues have been discovered in gnupg2, a tool for secure communication and data storage. CVE-2025-68973 There exist memory corruptions in the armor parsing code of GnuPG that can be exploited to provide primitives like out of bounds buffer read and write. This might be exploitable to the point of remote code execution (RCE). Additional issues: + Potential key signature digest algorithm downgrade. GnuPG may downgrade the message digest algorithm to insecure SHA1 algorithm during signature checking due to reading from uninitialized memory. This reduces the security of User ID Certification Signatures to that of SHA1. SHA1 suffers from known cryptographic weaknesses like chosen prefix attacks. + Multiple plaintext attack on detached PGP signatures. An attacker can arbitrarily swap the plaintext shown to a GnuPG user, when the user verifies a detached signature versus views it with `--decrypt`. This attack allows deceiving users verifying messages, following GnuPG usage best practices about the content of a message signed with a detached signature. Note, that it is possible in many scenarios to convert between signature types, i.e., convert a different signature type to a detached signature. + GnuPG Accepts Path Separators and Path Traversals in Literal Data. GnuPG accepts arbitrary file paths in the unsigned Literal Data packet filename field and uses that value without sufficient sanitization. In combination with tricking a user with ANSI formatted output that changes GnuPG output with deceptive apparent GnuPG logs, this can lead to creation or overwrite of any file on the system the user can write to, including executable files which the user may later execute. For Debian 11 bullseye, these problems have been fixed in version 2.2.27-2+deb11u3. We recommend that you upgrade your gnupg2 packages. For the detailed security status of gnupg2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnupg2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmlnyRYACgkQldFmTdL1 kUJpmxAAhBkEGrBoViyEa9n4xaVSzOEhkZTMgXCdDT5Qf3MZjRSGsccSS3m3iiSE 4LMoosmImbL9IM5ILx0TA+6MX+goX9tCMr7S2G6GvjXa05ZKnabJN8s62KIl8aU2 UjyCAAqAp6ZgNYCIlAk+/dRSoTPXVBN0jSv/BijFYT0xJwYljNkay9S5Lxa6IhDx gIZx6GL3ayv/Xzmyk6d+Rgrc5AmAXFwe/VC30Negz2rKT/C+YH9uJJwFlrv7790Q 45d/5NF8YWBkR8qnoWWO8NOtsUqxAzgzMfRhMrt8ndjB4RP4kq6QHD/O3fJisuWu kPoKmsNlFxFF07XcDzB+BZPFpsPXHnId71+iE7Hwcc00UjlOhuRDSw+vDAb+5GPb WCOTYV7LzVRaY1naDfR+wSMuS3vQlvVp6msuOh4CcJWQjne5cfR6esvUonJm3wQb 6xfepbrp9RoAm58Q4C+UMh3zIshBMN0FrxV/CArGCfBuWg2uvG52JduWNVaqHn9Y 6cEhoeP59Q7lq4kPm5kehnlTuoHQiFVatTvxCfei0prXDrZslTPm9V9F2f9WIwwZ Zgb7boJgzwDcNtk1I9Sv+u6nCFKO3mn5YadGRccV6d2AbtrNhQnMGmUoWcE+a9Zf MCjXX+996fNHAPjsDufjCaOeCX+R+cW9h1BTeIVZgzTZRu0x7NU= =7O0l -----END PGP SIGNATURE-----