CVE-2012-6085

Publication date 31 December 2012

Last updated 24 July 2024

Ubuntu priority

The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
gnupg	12.10 quantal	Fixed 1.4.11-3ubuntu4.1
	12.04 LTS precise	Fixed 1.4.11-3ubuntu2.2
	11.10 oneiric	Fixed 1.4.11-3ubuntu1.11.10.2
	10.04 LTS lucid	Fixed 1.4.10-2ubuntu1.2
	8.04 LTS hardy	Fixed 1.4.6-2ubuntu5.2
gnupg2	12.10 quantal	Fixed 2.0.17-2ubuntu3.1
	12.04 LTS precise	Fixed 2.0.17-2ubuntu2.12.04.2
	11.10 oneiric	Fixed 2.0.17-2ubuntu2.11.10.2
	10.04 LTS lucid	Fixed 2.0.14-1ubuntu1.5
	8.04 LTS hardy	Ignored end of life

Notes

seth-arnold

reproducer key available from dropbox url

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=f795a0d59e197455f8723c300eebf59e09853efa Vendor: http://www.debian.org/security/2013/dsa-2601
gnupg2	Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=498882296ffac7987c644aaf2a0aa108a2925471 Vendor: http://www.debian.org/security/2013/dsa-2601

References

Related Ubuntu Security Notices (USN)

USN-1682-1
GnuPG vulnerability
9 January 2013