Summary
KB Sriram discovered that GnuPG, the GNU Privacy Guard did not sufficiently sanitise public keys on import, which could lead to memory and keyring corruption.
The problem affects both version 1, in the gnupg package, and version two, in the gnupg2
package.
Solution
For the stable distribution (squeeze), this problem has been fixed in version 1.4.10-4+squeeze1 of gnupg and version 2.0.14-2+squeeze1 of gnupg2.
For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 1.4.12-7 of gnupg and version 2.0.19-2 of gnupg2.
We recommend that you upgrade your gnupg and/or gnupg2 packages.
Insight
GnuPG is GNU's tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
Affected
gnupg, gnupg2 on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2012-6085 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P
Related Vulnerabilities