CVE-2012-6085

Publication date 31 December 2012

Last updated 24 July 2024

Ubuntu priority

The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg	12.10 quantal	Fixed 1.4.11-3ubuntu4.1
	12.04 LTS precise	Fixed 1.4.11-3ubuntu2.2
	11.10 oneiric	Fixed 1.4.11-3ubuntu1.11.10.2
	10.04 LTS lucid	Fixed 1.4.10-2ubuntu1.2
	8.04 LTS hardy	Fixed 1.4.6-2ubuntu5.2
gnupg2	12.10 quantal	Fixed 2.0.17-2ubuntu3.1
	12.04 LTS precise	Fixed 2.0.17-2ubuntu2.12.04.2
	11.10 oneiric	Fixed 2.0.17-2ubuntu2.11.10.2
	10.04 LTS lucid	Fixed 2.0.14-1ubuntu1.5
	8.04 LTS hardy	Ignored end of life

Notes

seth-arnold

reproducer key available from dropbox url

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=f795a0d59e197455f8723c300eebf59e09853efa Vendor: http://www.debian.org/security/2013/dsa-2601
gnupg2	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=498882296ffac7987c644aaf2a0aa108a2925471 Vendor: http://www.debian.org/security/2013/dsa-2601

References

Related Ubuntu Security Notices (USN)

USN-1682-1
GnuPG vulnerability
9 January 2013