CVE-2012-6085
Published: 31 December 2012
The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet.
Notes
| Author | Note |
|---|---|
| seth-arnold | reproducer key available from dropbox url |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gnupg Launchpad, Ubuntu, Debian |
hardy |
Released
(1.4.6-2ubuntu5.2)
|
| lucid |
Released
(1.4.10-2ubuntu1.2)
|
|
| oneiric |
Released
(1.4.11-3ubuntu1.11.10.2)
|
|
| precise |
Released
(1.4.11-3ubuntu2.2)
|
|
| quantal |
Released
(1.4.11-3ubuntu4.1)
|
|
| upstream |
Released
(1.4.13,1.4.12-7)
|
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=f795a0d59e197455f8723c300eebf59e09853efa vendor: http://www.debian.org/security/2013/dsa-2601 |
||
|
gnupg2 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(reached end-of-life)
|
| lucid |
Released
(2.0.14-1ubuntu1.5)
|
|
| oneiric |
Released
(2.0.17-2ubuntu2.11.10.2)
|
|
| precise |
Released
(2.0.17-2ubuntu2.12.04.2)
|
|
| quantal |
Released
(2.0.17-2ubuntu3.1)
|
|
| upstream |
Released
(2.0.19-2)
|
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=patch;h=498882296ffac7987c644aaf2a0aa108a2925471 vendor: http://www.debian.org/security/2013/dsa-2601 |
||