A vulnerability was found in GnuPG and Gpg4win (the affected version is unknown). It has been classified as critical. Affected is an unknown code of the file g10/key-check.c of the component Key Import. The manipulation with an unknown input leads to a buffer overflow vulnerability (Array Index). CWE is classifying the issue as CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version.

The weakness was published 09/03/2020 (oss-sec). The advisory is available at openwall.com. This vulnerability is traded as CVE-2020-25125 since 09/03/2020. The exploitability is told to be difficult. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. Technical details are known, but there is no available exploit. The advisory points out:

Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour.

Upgrading eliminates this vulnerability.

Productinfo

Name

• GnuPG
• Gpg4win

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion