UbuntuUpdates.org

Package "gpgv-static"

Name: gpgv-static

Description:

minimal signature verification tool (static build)
Latest version: 2.4.4-2ubuntu17.4
Release: noble (24.04)
Level: security
Repository: universe
Head package: gnupg2
Homepage: https://www.gnupg.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "gpgv-static"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "gpgv-static" in Noble

Repository Area Version
base universe 2.4.4-2ubuntu17
updates universe 2.4.4-2ubuntu17.4

Changelog

Version: 2.4.4-2ubuntu17.4 2026-01-08 01:17:50 UTC

  gnupg2 (2.4.4-2ubuntu17.4) noble-security; urgency=medium

  * SECURITY UPDATE: Remote Code Execution
    - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory
    corruption in the armor parser.
    - CVE-2025-68973

 -- Allen Huang <email address hidden> Mon, 05 Jan 2026 22:01:39 +0000
Source diff to previous version
CVE-2025-68973 In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write f

Version: 2.4.4-2ubuntu17.3 2025-07-07 19:07:14 UTC

  gnupg2 (2.4.4-2ubuntu17.3) noble-security; urgency=medium

  * debian/patches/fix-key-validity-regression-due-to-CVE-2025-
    30258.patch:
    - Fix a key validity regression following patches for CVE-2025-30258,
      causing trusted "certify-only" primary keys to be ignored when checking
      signature on user IDs and computing key validity. This regression makes
      imported keys signed by a trusted "certify-only" key have an unknown
      validity (LP: #2114775).

 -- dcpi <dcpi@u22vm> Thu, 26 Jun 2025 13:17:22 +0000
Source diff to previous version
2114775 Key validity not computed when key is certified by a trusted \
CVE-2025-30258 In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect us

Version: 2.4.4-2ubuntu17.2 2025-04-03 16:07:15 UTC

  gnupg2 (2.4.4-2ubuntu17.2) noble-security; urgency=medium

  * SECURITY UPDATE: verification DoS via crafted subkey data
    - debian/patches/CVE-2025-30258-1.patch: lookup key for merging/
      inserting only by primary key in g10/getkey.c, g10/import.c,
      g10/keydb.h.
    - debian/patches/CVE-2025-30258-2.patch: remove a signature check
      function wrapper in g10/mainproc.c, g10/packet.h, g10/sig-check.c.
    - debian/patches/CVE-2025-30258-3.patch: fix a verification DoS due to
      a malicious subkey in the keyring in g10/getkey.c, g10/gpg.h,
      g10/keydb.h, g10/mainproc.c, g10/packet.h, g10/sig-check.c.
    - debian/patches/CVE-2025-30258-4.patch: fix regression for the recent
      malicious subkey DoS fix in g10/getkey.c, g10/packet.h.
    - debian/patches/CVE-2025-30258-5.patch: fix double free of internal
      data in g10/sig-check.c.
    - CVE-2025-30258

 -- Marc Deslauriers <email address hidden> Fri, 28 Mar 2025 11:23:49 -0400
CVE-2025-30258 In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect us


About   -   Send Feedback to @ubuntu_updates