[ubuntu/plucky-proposed] gnupg2 2.4.4-2ubuntu23 (Accepted)

[Marc Deslauriers]

gnupg2 (2.4.4-2ubuntu23) plucky; urgency=medium

  * SECURITY UPDATE: verification DoS via crafted subkey data
    - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/
      inserting only by primary key in g10/getkey.c, g10/import.c,
      g10/keydb.h.
    - debian/patches/CVE-2025-30258-2.patch: remove a signature check
      function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.
    - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to
      a malicious subkey in the keyring in g10/getkey.c, g10/gpg.h,
      g10/keydb.h, g10/mainproc.c, g10/packet.h, g10/sig-check.c.
    - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent
      malicious subkey DoS fix in g10/getkey.c, g10/packet.h.
    - debian/patches/CVE-2025-30258-5.patch: fix double free of internal
      data in g10/sig-check.c.
    - CVE-2025-30258

Date: Fri, 28 Mar 2025 11:23:49 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/gnupg2/2.4.4-2ubuntu23
-------------- next part --------------
Format: 1.8
Date: Fri, 28 Mar 2025 11:23:49 -0400
Source: gnupg2
Built-For-Profiles: noudeb
Architecture: source
Version: 2.4.4-2ubuntu23
Distribution: plucky
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 gnupg2 (2.4.4-2ubuntu23) plucky; urgency=medium
 .
   * SECURITY UPDATE: verification DoS via crafted subkey data
     - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/
       inserting only by primary key in g10/getkey.c, g10/import.c,
       g10/keydb.h.
     - debian/patches/CVE-2025-30258-2.patch: remove a signature check
       function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.
     - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to
       a malicious subkey in the keyring in g10/getkey.c, g10/gpg.h,
       g10/keydb.h, g10/mainproc.c, g10/packet.h, g10/sig-check.c.
     - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent
       malicious subkey DoS fix in g10/getkey.c, g10/packet.h.
     - debian/patches/CVE-2025-30258-5.patch: fix double free of internal
       data in g10/sig-check.c.
     - CVE-2025-30258
Checksums-Sha1:
 149484cf28993062f13a1ca09809d6312f0a7de7 3625 gnupg2_2.4.4-2ubuntu23.dsc
 8fa699799c51ed554166a1d0a0c4dd46272f5ea8 97256 gnupg2_2.4.4-2ubuntu23.debian.tar.xz
 91142bc4cca9532046d4038a70c5720c22ed3c5b 8636 gnupg2_2.4.4-2ubuntu23_source.buildinfo
Checksums-Sha256:
 67840bc681aad7d59aa6989507f3a5c126cb33ba1f2249dc70b7d3b176ec95d8 3625 gnupg2_2.4.4-2ubuntu23.dsc
 09a7e9026b9212dd194b77cb5a8bfff580dc8df864158e7f439d49b4a70f7a4a 97256 gnupg2_2.4.4-2ubuntu23.debian.tar.xz
 8fc4994bb0970b6542a83a45e95f96de3a989be49d0177c9b194a20d2b210c80 8636 gnupg2_2.4.4-2ubuntu23_source.buildinfo
Files:
 9814bf5ba64067038843a8b3822434bf 3625 utils optional gnupg2_2.4.4-2ubuntu23.dsc
 8f936e70c503b49f43164c9b0c42a0b1 97256 utils optional gnupg2_2.4.4-2ubuntu23.debian.tar.xz
 1787aaf76827f68af8c4ad502349fff7 8636 utils optional gnupg2_2.4.4-2ubuntu23_source.buildinfo
Original-Maintainer: Debian GnuPG Maintainers <pkg-gnupg-maint at lists.alioth.debian.org>