CVE-2025-30258

Publication date 19 March 2025

Last updated 28 March 2025

Ubuntu priority

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a “verification DoS.”

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg2	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?
Patch details

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg2	Upstream: https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=48978ccb4e20866472ef18436a32744350a65158 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d3d7713c1799754160260cb350309dd183b397f5 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=25d748c3dfc0102f9e54afea59ff26b3969bd8c1 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=da0164efc7f32013bc24d97b9afa9f8d67c318bb Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=1e581619bf5315957f2be06b3b1a7f513304c126 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4be25979a6b3e2a79d7c9667b07db8b09fb046e9

Package

Patch details

gnupg2

Upstream: https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=48978ccb4e20866472ef18436a32744350a65158
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d3d7713c1799754160260cb350309dd183b397f5
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=25d748c3dfc0102f9e54afea59ff26b3969bd8c1
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=da0164efc7f32013bc24d97b9afa9f8d67c318bb
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=1e581619bf5315957f2be06b3b1a7f513304c126
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4be25979a6b3e2a79d7c9667b07db8b09fb046e9

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-30258
https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html