VYPR

rpm package

opensuse/gpg2&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/gpg2&distro=openSUSE%20Tumbleweed

Vulnerabilities (18)

  • CVE-2026-24883Jan 27, 2026
    affected < 2.5.17-1.1fixed 2.5.17-1.1

    In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).

  • CVE-2026-24882Jan 27, 2026
    affected < 2.5.17-1.1fixed 2.5.17-1.1

    In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.

  • CVE-2026-24881Jan 27, 2026
    affected < 2.5.17-1.1fixed 2.5.17-1.1

    In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memor

  • CVE-2025-68973Dec 28, 2025
    affected < 2.5.16-1.1fixed 2.5.16-1.1

    In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

  • CVE-2025-30258Mar 19, 2025
    affected < 2.5.6-1.1fixed 2.5.6-1.1

    In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

  • CVE-2022-34903Jul 1, 2022
    affected < 2.3.7-1.1fixed 2.3.7-1.1

    GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

  • CVE-2020-25125Sep 3, 2020
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is

  • CVE-2019-14855Mar 20, 2020
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.

  • CVE-2018-12020Jun 8, 2018
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP da

  • CVE-2018-9234Apr 4, 2018
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.

  • CVE-2014-4617Jun 25, 2014
    affected < 2.1.16-1.1fixed 2.1.16-1.1

    The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.

  • CVE-2013-4402Oct 28, 2013
    affected < 2.1.16-1.1fixed 2.1.16-1.1

    The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.

  • CVE-2013-4351Oct 10, 2013
    affected < 2.1.16-1.1fixed 2.1.16-1.1

    GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.

  • CVE-2010-2547HigAug 5, 2010
    affected < 2.1.16-1.1fixed 2.1.16-1.1

    Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled

  • CVE-2008-1530Mar 27, 2008
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."

  • CVE-2006-6169Nov 29, 2006
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a l

  • CVE-2006-3746Jul 28, 2006
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message.

  • CVE-2006-0455Feb 15, 2006
    affected < 2.2.27-2.4fixed 2.2.27-2.4

    gpgv in GnuPG before 1.4.2.1, when using unattended signature verification, returns a 0 exit code in certain cases even when the detached signature file does not carry a signature, which could cause programs that use gpgv to assume that the signature verification has succeeded.