CVE-2022-34903

NameCVE-2022-34903
DescriptionGnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5174-1, ELA-636-1
Debian Bugs1014157

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnupg (PTS)jessie, jessie (lts)1.4.18-7+deb8u5vulnerable
gnupg1 (PTS)stretch (security), stretch (lts), stretch1.4.21-4+deb9u1vulnerable
buster1.4.23-1vulnerable
bullseye, bookworm1.4.23-1.1vulnerable
sid, trixie1.4.23-2vulnerable
gnupg2 (PTS)jessie, jessie (lts)2.0.26-6+deb8u3fixed
stretch (security)2.1.18-8~deb9u2vulnerable
stretch (lts), stretch2.1.18-8~deb9u5fixed
buster (security), buster, buster (lts)2.2.12-1+deb10u2fixed
bullseye (security), bullseye2.2.27-2+deb11u2fixed
bookworm2.2.40-1.1fixed
sid, trixie2.2.45-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnupgsourcejessie(unfixed)unimportant
gnupgsource(unstable)(unfixed)
gnupg1source(unstable)(unfixed)unimportant
gnupg2sourcejessie2.0.26-6+deb8u3ELA-636-1
gnupg2sourcestretch2.1.18-8~deb9u5ELA-636-1
gnupg2sourcebuster2.2.12-1+deb10u2DSA-5174-1
gnupg2sourcebullseye2.2.27-2+deb11u2DSA-5174-1
gnupg2source(unstable)2.2.35-31014157

Notes

https://dev.gnupg.org/T6027
https://www.openwall.com/lists/oss-security/2022/06/30/1
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b
Search for package or bug name: Reporting problems