Описание
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
A flaw was found in GnuPG. In affected versions, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, leading to a verification denial of service.
Отчет
This vulnerability is rated as LOW impact. This is because it exists in GnuPG's certificate import logic. When a user imports a crafted certificate containing a subkey with a missing/invalid backsig (binding signature proving subkey-primary key association) or malformed usage flags, GnuPG fails to isolate the invalid key material, corrupting internal key selection state. This prevents verification of legitimate signing keys which is a denial of service extending beyond the malicious certificate. Exploitation requires user action to import an untrusted certificate.
Меры по смягчению последствий
There is no available mitigation for this vulnerability. However as a general security procedure,users should exercise caution and avoid importing GnuPG certificates from untrusted or unverified sources. Only import certificates that are known to be legitimate and from trusted entities. Update to GnuPG version 2.5.5 or later to resolve this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | gnupg2 | Fix deferred | ||
| Red Hat Enterprise Linux 6 | gnupg2 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | gnupg2 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | gnupg2 | Out of support scope | ||
| Red Hat Enterprise Linux 9 | gnupg2 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
2.7 Low
CVSS3
Связанные уязвимости
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."
In GnuPG before 2.5.5, if a user chooses to import a certificate with ...
EPSS
2.7 Low
CVSS3