CVE-2020-25125
First published: Thu Sep 03 2020(Updated: )
GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gnupg Gnupg | =2.2.21 | |
| Gnupg Gnupg | =2.2.22 | |
| Gpg4win Gpg4win | =3.1.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/09/03/4
- http://www.openwall.com/lists/oss-security/2020/09/03/5
- https://bugzilla.opensuse.org/show_bug.cgi?id=1176034
- https://dev.gnupg.org/T5050
- https://dev.gnupg.org/rG8ec9573e57866dda5efb4677d4454161517484bc
- https://lists.gnupg.org/pipermail/gnupg-announce/2020q3/000448.html
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-25125.
What is the severity of CVE-2020-25125?
The severity of CVE-2020-25125 is high, with a CVSS score of 7.8.
Which software versions are affected by CVE-2020-25125?
The affected software versions are GnuPG 2.2.21, GnuPG 2.2.22, and Gpg4win 3.1.12.
What is the impact of CVE-2020-25125?
The impact of CVE-2020-25125 can lead to a crash or possibly unspecified other impact.
How can I fix CVE-2020-25125?
There is no known fix or patch available for CVE-2020-25125 at the moment. It is recommended to follow the provided references for any updates or mitigation strategies.
- collector/nvd-index
- vendor/gnupg
- product/gnupg
- canonical/gnupg gnupg
- vendor/gpg4win
- product/gpg4win
- canonical/gpg4win gpg4win