Forum: >>> Magnum BBS <<<

Dark
Log in

Username Password

Bug#1100990: gnupg2: CVE-2025-30258

From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Fri Mar 21 14:30:01 2025

Source: gnupg2
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for gnupg2.

CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."

https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html https://dev.gnupg.org/T7527 https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-30258
https://www.cve.org/CVERecord?id=CVE-2025-30258

Please adjust the affected versions in the BTS as needed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Andreas Metzler@21:1/5 to jmm@inutil.org on Sat Mar 22 15:20:01 2025

On 2025-03-21 Moritz M�hlenhoff <jmm@inutil.org> wrote:
[...]

The following vulnerability was published for gnupg2.

CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."

[...]

At first glance this probably does not warrant a DSA and can be fixed
with a stable update.

cu Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Moritz =?iso-8859-1?Q?M=FChlenhoff?@21:1/5 to Andreas Metzler on Sat Mar 22 17:30:01 2025

On Sat, Mar 22, 2025 at 03:15:02PM +0100, Andreas Metzler wrote:

On 2025-03-21 Moritz M�hlenhoff <jmm@inutil.org> wrote:
[...]

The following vulnerability was published for gnupg2.

CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."

[...]

At first glance this probably does not warrant a DSA and can be fixed
with a stable update.

Agreed, I'll mark it as no-dsa in the Security Tracker.

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Jokke
  Thu May 22 15:51:38 2025
  from Be via Telnet
- Adam Fancher
  Thu May 22 15:27:52 2025
  from Winsted, Ct via Telnet
- Skwx
  Thu May 22 15:25:23 2025
  from London, Uk via Telnet
- Jokke
  Thu May 22 11:19:03 2025
  from Be via Telnet
- Jokke
  Thu May 22 10:58:11 2025
  from Be via Telnet
- Jokke
  Thu May 22 10:43:16 2025
  from Be via Telnet
- Jokke
  Wed May 21 19:23:46 2025
  from Be via Telnet
- Jokke
  Wed May 21 18:35:33 2025
  from Be via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	481
Nodes:	16 (2 / 14)
Uptime:	09:33:44
Calls:	9,538
Calls today:	6
Files:	13,653
Messages:	6,139,125
Posted today:	1