Your message dated Thu, 01 Jan 2026 22:02:20 +0000
with message-id <[email protected]>
and subject line Bug#1124221: fixed in gnupg2 2.4.7-21+deb13u1
has caused the Debian Bug report #1124221,
regarding gnupg2: CVE-2025-68973
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124221: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124221
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnupg2
Version: 2.4.8-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.4.7-21
Control: found -1 2.2.40-1.1+deb12u1
Control: found -1 2.2.40-1.1
Hi,
The following vulnerability was published for gnupg2.
CVE-2025-68973[0]:
| In GnuPG through 2.4.8, armor_filter in g10/armor.c has two
| increments of an index variable where one is intended, leading to an
| out-of-bounds write for crafted input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68973
https://www.cve.org/CVERecord?id=CVE-2025-68973
[1] https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnupg2
Source-Version: 2.4.7-21+deb13u1
Done: Andreas Metzler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnupg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 01 Jan 2026 06:46:01 +0100
Source: gnupg2
Architecture: source
Version: 2.4.7-21+deb13u1
Distribution: trixie
Urgency: high
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Closes: 1124221
Changes:
gnupg2 (2.4.7-21+deb13u1) trixie; urgency=high
.
* Avoid potential downgrade to SHA1 in 3rd party key signatures.
https://gpg.fail/sha1 #12
Patch from STABLE-BRANCH-2-4
* gpg: Error out on unverified output for non-detached signatures.
https://gpg.fail/detached #1
Patch from STABLE-BRANCH-2-4
* gpg: Fix possible memory corruption in the armor parser (CVE-2025-68973)
https://gpg.fail/memcpy #5
Patch from STABLE-BRANCH-2-4 (Closes: #1124221)
* gpg: Do not use a default when asking for another output filename.
https://gpg.fail/filename #2
Unfuzzed patch from GIT master
Checksums-Sha1:
c12b0da813d757e0fe40fdb89c2cda16d2b94b21 4933 gnupg2_2.4.7-21+deb13u1.dsc
0b53a1ba3ba2f246bc24287841b89f85d9636aa6 131264
gnupg2_2.4.7-21+deb13u1.debian.tar.xz
Checksums-Sha256:
30a96cd2d26a57f6796507bf8f083825734d4081e3c5f922d2b99bb2bf671212 4933
gnupg2_2.4.7-21+deb13u1.dsc
3941a8a537e258f6216ad1c1b9ecb255dfc286e5d03eb39805e536de4a448856 131264
gnupg2_2.4.7-21+deb13u1.debian.tar.xz
Files:
193ea1d8392dc4c9fbd345ae2f9f4e05 4933 utils optional
gnupg2_2.4.7-21+deb13u1.dsc
dcb30dc77eb35af0224f1ff5101e00ab 131264 utils optional
gnupg2_2.4.7-21+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmlWDVgACgkQpU8BhUOC
FISEBw/9HSQQbT8aC+ucB83bCi79ggrmgcAGL04c0AA5pAw94EFFYPwEsqOuaE2V
6V//Fsexu2+liK3I9cBoxtdpGwtlvOm9r90jCoVeJIRpJlX7AXcwQUGopOLAAw/Q
PHx4yxHTFUjTo7eLoHfAurDFmSK5ThzrI1ebN/YYkzPHuld2YRwR0dM3c1e8Qvck
+glPbJbPiJsLo8lZX0Retfh/StjR7OBPz+6MbthP8AYWldWZua21LPx270HEUDJp
lHDXTjVUEjY7B6M7DX5J+JD9oRFtBTpgpo+w9yDWJtjj+kkMdmGNncj6iDg/Z097
un5ilOKqbRETLWP29pouyC1w0senkoDUFhrh5otsR2pq9c1RYfh2rhdGjjM/qUPN
iXcXbm0XyRythfz4E9tICTGkYsVqzZZW+XNSSjIfTkeVGsZ4u0vT5z+oxtRqNe3D
rPVMKR/S5Dby+duO6Q9Bg2/EX/CXE1B97Ubn06vIjifXxXdRCH+7mjDanV1IsKcP
9ADZLNlFCkRrLwL0YTaxeck/WFpdEUGfwKdBeDLAcM3eGkVjoZIze3te/ANrpZOG
8s44YqmTAI828SvlF+KQoG6XEbQ3kX9teLo93sEozxfFtR/MHTufZ2tarBgBzFRs
aJ/67TRD+m0/uUvWhA6Gqm5XWmGWUxOqNw+db4NASNJq38L+8Nk=
=glpN
-----END PGP SIGNATURE-----
pgp9QjkY1NT88.pgp
Description: PGP signature
--- End Message ---
