Your message dated Mon, 29 Dec 2025 17:34:38 +0000
with message-id <[email protected]>
and subject line Bug#1124221: fixed in gnupg2 2.4.8-5
has caused the Debian Bug report #1124221,
regarding gnupg2: CVE-2025-68973
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124221
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnupg2
Version: 2.4.8-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.4.7-21
Control: found -1 2.2.40-1.1+deb12u1
Control: found -1 2.2.40-1.1
Hi,
The following vulnerability was published for gnupg2.
CVE-2025-68973[0]:
| In GnuPG through 2.4.8, armor_filter in g10/armor.c has two
| increments of an index variable where one is intended, leading to an
| out-of-bounds write for crafted input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68973
https://www.cve.org/CVERecord?id=CVE-2025-68973
[1] https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.4.8-5
Done: Andreas Metzler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnupg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Dec 2025 18:03:49 +0100
Source: gnupg2
Architecture: source
Version: 2.4.8-5
Distribution: unstable
Urgency: high
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1124221
Changes:
gnupg2 (2.4.8-5) unstable; urgency=high
.
[ Salvatore Bonaccorso ]
* common: Reformat some comments in iobuf.c
* gpg: Fix possible memory corruption in the armor parser (CVE-2025-68973)
(Closes: #1124221) https://gpg.fail/memcpy #5
.
[ Andreas Metzler ]
* Avoid potential downgrade to SHA1 in 3rd party key signatures.
https://gpg.fail/sha1 #12
Patch from STABLE-BRANCH-2-4
* gpg: Error out on unverified output for non-detached signatures.
https://gpg.fail/detached #1
Patch from STABLE-BRANCH-2-4
Checksums-Sha1:
c172799cecfbece0371a3c65380c78fc36ea4c0e 5455 gnupg2_2.4.8-5.dsc
56ac0d3fd7b427ccd4594c6c487fd4819129dd1b 124868 gnupg2_2.4.8-5.debian.tar.xz
Checksums-Sha256:
eee0be7308f6e1d4497da2a87ae1b627edaf83e84e5e1bc7c81f30e85898703e 5455
gnupg2_2.4.8-5.dsc
1b83a4ace291850a46d346677971a3f130c3f0c677e95ba258d842a3620ca2e4 124868
gnupg2_2.4.8-5.debian.tar.xz
Files:
0eef67785ddd50f16bec5eb4d7240a64 5455 utils optional gnupg2_2.4.8-5.dsc
81f184b0ee364ff375a9de2a7d844b37 124868 utils optional
gnupg2_2.4.8-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmlStrgACgkQpU8BhUOC
FIR0kA/9Ehzdkr/+68njVZ/sytTrxmRGp+3iq0E5e1w5oOO7y9+3l3D9mGDrwSxN
bPjEbCTxUOkcYTsovjBUjPSTGn5aLpXV8SnvVJ68hQ3aGPZUGSn7Epswq0Z2G2zG
rkoK9kJl+8nq+p/AsrldUtdf2mIUEdlpGKWepR+Kn17AF2vTfD+C0TQ6S0s31Xq8
FeLg38vGs0Rsrm2KtgU5bHODIV+P5W3VQnSrGA0CFod1cOiiiAGHKOF8zPkfD/Mq
Ijv6miPJ4waNVi6K1KSvjIXdGB4c9pmWlwr7bd5+kr7ozLcURLeIiFXQet66Rvbo
hUEu+7baXS4l2mmwNLhV9M06QGdHMnFW1iucMs7g2PdxtJhJ/i9TCwu2ObJQRJcj
MumJWqN5ByGYgRH+VEEKX6qccx/fvVhrQk/oAGtzE9KSqzeDvZsxbB+Gmq9RZ4Km
Q+f3wUF+9uuBoCKc7GXTZvdQ72wqbl9q/icdFvkWD+icO3Yft07S2h7Hv2MAhHCQ
RvnqJYb80iWkbL9vEO2JGor4ur6oCC5TzS1/jS5LJtVOKEV4vI8tH7Xd4d6TwiHw
tC+kVXy+52ir21XNwfJH0CGDoUsn4CEyeD+Q5eHsk/bJVcTnHe4YXFYpxFLUrO3O
UM8GDS26eQd0Us4oLPjbeE5YxCSwdpiSaAfPomTiFRIhw2MjBIQ=
=sbzj
-----END PGP SIGNATURE-----
pgpScwFmVVYp6.pgp
Description: PGP signature
--- End Message ---
