[Bug 2137220] Re: CVE-2025-68973 and CVE-2025-68972 in Ubuntu
Eduardo Barretto
2137220 at bugs.launchpad.net
Mon Feb 9 09:47:13 UTC 2026
** Changed in: gnupg2 (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.
https://bugs.launchpad.net/bugs/2137220
Title:
CVE-2025-68973 and CVE-2025-68972 in Ubuntu
Status in gnupg2 package in Ubuntu:
Triaged
Bug description:
Over Christmas (fun, I know) there was a talk about security
vulnerabilities in GnuPG.
See discussion here: https://www.openwall.com/lists/oss-
security/2025/12/28/5
There are related Debian bugs here:
https://security-tracker.debian.org/tracker/CVE-2025-68972
https://security-tracker.debian.org/tracker/CVE-2025-68973
These don't seem to be in the Ubuntu CVE tracker (e.g.
https://ubuntu.com/security/CVE-2025-68973)
Given that apt:
a) Pulls what appear to be ASCII-armored signatures over HTTP (or from possibly untrustworthy mirrors) and
b) Passes them to gpgv to verify running, presumably as root
then CVE-2025-68973 would appear to effectively allow anyone who
controls a user's DNS or mirror to execute code as root on that user's
machine, without user interaction (as of course unattended-upgrades
does all this) or when a user runs apt update.
This seems to affect 24.04, 22.04 etc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/2137220/+subscriptions
More information about the foundations-bugs
mailing list