Forum: >>> Magnum BBS <<<

Dark
Log in

Username Password

Bug#1100990: gnupg2: CVE-2025-30258

From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Fri Mar 21 14:30:01 2025

Source: gnupg2
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for gnupg2.

CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."

https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html https://dev.gnupg.org/T7527 https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-30258
https://www.cve.org/CVERecord?id=CVE-2025-30258

Please adjust the affected versions in the BTS as needed.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Andreas Metzler@21:1/5 to jmm@inutil.org on Sat Mar 22 15:20:01 2025

On 2025-03-21 Moritz M�hlenhoff <jmm@inutil.org> wrote:
[...]

The following vulnerability was published for gnupg2.

CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."

[...]

At first glance this probably does not warrant a DSA and can be fixed
with a stable update.

cu Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Moritz =?iso-8859-1?Q?M=FChlenhoff?@21:1/5 to Andreas Metzler on Sat Mar 22 17:30:01 2025

On Sat, Mar 22, 2025 at 03:15:02PM +0100, Andreas Metzler wrote:

On 2025-03-21 Moritz M�hlenhoff <jmm@inutil.org> wrote:
[...]

The following vulnerability was published for gnupg2.

CVE-2025-30258[0]:
| In GnuPG before 2.5.5, if a user chooses to import a certificate
| with certain crafted subkey data that lacks a valid backsig or that
| has incorrect usage flags, the user loses the ability to verify
| signatures made from certain other signing keys, aka a "verification
| DoS."

[...]

At first glance this probably does not warrant a DSA and can be fixed
with a stable update.

Agreed, I'll mark it as no-dsa in the Security Tracker.

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Jack
  Sun Jun 8 06:41:19 2025
  from Mississipi via Telnet
- Centurion
  Sun Jun 8 00:08:04 2025
  from Berea, Ohio via Telnet
- Centurion
  Sat Jun 7 21:52:22 2025
  from Berea, Ohio via Telnet
- Tnmoc
  Sat Jun 7 13:44:20 2025
  from Milton Keynes via Telnet
- Tnmoc
  Sat Jun 7 13:40:01 2025
  from Milton Keynes via Telnet
- Plume
  Sat Jun 7 11:13:29 2025
  from Uk via SSH
- Gwylbert
  Sat Jun 7 08:57:45 2025
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 7 04:30:40 2025
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	487
Nodes:	16 (2 / 14)
Uptime:	00:20:51
Calls:	9,660
Calls today:	2
Files:	13,709
Messages:	6,166,396