UbuntuUpdates.org

Package "gpgsm"

Name: gpgsm

Description:

GNU privacy guard - S/MIME version
Latest version: 2.2.19-3ubuntu2.5
Release: focal (20.04)
Level: security
Repository: main
Head package: gnupg2
Homepage: https://www.gnupg.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "gpgsm"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "gpgsm" in Focal

Repository Area Version
base main 2.2.19-3ubuntu2
updates main 2.2.19-3ubuntu2.5

Changelog

Version: 2.2.19-3ubuntu2.5 2025-07-07 19:07:05 UTC

  gnupg2 (2.2.19-3ubuntu2.5) focal-security; urgency=medium

  * debian/patches/fix-key-validity-regression-due-to-CVE-2025-
    30258.patch:
    - Fix a key validity regression following patches for CVE-2025-30258,
      causing trusted "certify-only" primary keys to be ignored when checking
      signature on user IDs and computing key validity. This regression makes
      imported keys signed by a trusted "certify-only" key have an unknown
      validity (LP: #2114775).

 -- dcpi <dcpi@u22vm> Thu, 26 Jun 2025 16:57:26 +0000
Source diff to previous version
2114775 Key validity not computed when key is certified by a trusted \
CVE-2025-30258 In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect us

Version: 2.2.19-3ubuntu2.4 2025-04-03 16:07:03 UTC

  gnupg2 (2.2.19-3ubuntu2.4) focal-security; urgency=medium

  * SECURITY UPDATE: verification DoS via crafted subkey data
    - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/
      inserting only by primary key in g10/getkey.c, g10/import.c,
      g10/keydb.h.
    - debian/patches/CVE-2025-30258-2.patch: remove a signature check
      function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.
    - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to
      a malicious subkey in the keyring in g10/getkey.c, g10/keydb.h,
      g10/mainproc.c, g10/packet.h, g10/sig-check.c, g10/pkclist.c.
    - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent
      malicious subkey DoS fix in g10/getkey.c, g10/packet.h.
    - debian/patches/CVE-2025-30258-5.patch: fix double free of internal
      data in g10/sig-check.c.
    - CVE-2025-30258

 -- Marc Deslauriers <email address hidden> Sat, 29 Mar 2025 12:35:54 -0400
Source diff to previous version
CVE-2025-30258 In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect us

Version: 2.2.19-3ubuntu2.2 2022-07-05 21:45:51 UTC

  gnupg2 (2.2.19-3ubuntu2.2) focal-security; urgency=medium

  * SECURITY UPDATE: signature forgery via injection into the status line
    - debian/patches/CVE-2022-34903.patch: Fix garbled status messages in
      NOTATION_DATA in g10/cpr.c.
    - CVE-2022-34903

 -- Marc Deslauriers <email address hidden> Mon, 04 Jul 2022 12:20:36 -0400
CVE-2022-34903 GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g.


About   -   Send Feedback to @ubuntu_updates