CNNVD-202512-4871 Information

CNNVD ID

CNNVD-202512-4871

Related CVE

CVE-2025-68973

• CNNVD Published: 2025-12-28

Description (Chinese)

GNUPG是美国GNU社区的一套开源的加密软件，采用GNU通用公共许可证。该软件支持公钥、对称加密、散列等算法。 GNUPG 2.4.8及之前版本存在安全漏洞，该漏洞源于armor_filter中索引变量增量错误，可能导致越界写入。

Description (English)

GNUPG is an open-source encryption software for the GNU community in the United States, using the GNU General Public Licence. The software supports algorithms such as public keys, symmetric encryption, hash. There is a security loophole in GNUPG 2.4.8 and earlier versions, which stems from the error in indexing variable increments in armor filter, which may lead to cross-border writing.

Hazard Level

Medium

Vulnerability Type

其他

Affected Vendor

GNU

Published

2025-12-28

Last Modified

2026-02-24

References

https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i https://gpg.fail/memcpy https://www.openwall.com/lists/oss-security/2025/12/28/5 https://news.ycombinator.com/item?id=46403200 http://www.openwall.com/lists/oss-security/2025/12/29/11 https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306 https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9 https://github.com/gpg/gnupg/compare/gnupg-2.2.50…gnupg-2.2.51 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-68973

Patch

https://gnupg.org/download/index.html