Debian Security Advisory

DSA-5174-1 gnupg2 -- security update

Date Reported:
03 Jul 2022
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 1014157.
In Mitre's CVE dictionary: CVE-2022-34903.
More information:

Demi Marie Obenour discovered a flaw in GnuPG, allowing for signature spoofing via arbitrary injection into the status line. An attacker who controls the secret part of any signing-capable key or subkey in the victim's keyring, can take advantage of this flaw to provide a correctly-formed signature that some software, including gpgme, will accept to have validity and signer fingerprint chosen from the attacker.

For the oldstable distribution (buster), this problem has been fixed in version 2.2.12-1+deb10u2.

For the stable distribution (bullseye), this problem has been fixed in version 2.2.27-2+deb11u2.

We recommend that you upgrade your gnupg2 packages.

For the detailed security status of gnupg2 please refer to its security tracker page at: