StarlingX

[Debian] Medium CVE: CVE-2022-34903: gnupg2: allows signature forgery via injection into the status line

Bug #2021475 reported by Yue Tao on 2023-05-29

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	ZhangXiao

Bug Description

CVE-2022-34903: https://nvd.nist.gov/vuln/detail/CVE-2022-34903

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

Base Score: Medium

References:

https://security-tracker.debian.org/tracker/CVE-2022-34903

https://www.debian.org/security/2022/dsa-5174

['dirmngr_2.2.27-2+deb11u1_amd64.deb===>dirmngr_2.2.27-2+deb11u2_amd64.deb', 'gnupg_2.2.27-2+deb11u1_all.deb===>gnupg_2.2.27-2+deb11u2_all.deb', 'gnupg-l10n_2.2.27-2+deb11u1_all.deb===>gnupg-l10n_2.2.27-2+deb11u2_all.deb', 'gnupg-utils_2.2.27-2+deb11u1_amd64.deb===>gnupg-utils_2.2.27-2+deb11u2_amd64.deb', 'gpg_2.2.27-2+deb11u1_amd64.deb===>gpg_2.2.27-2+deb11u2_amd64.deb', 'gpg-agent_2.2.27-2+deb11u1_amd64.deb===>gpg-agent_2.2.27-2+deb11u2_amd64.deb', 'gpgconf_2.2.27-2+deb11u1_amd64.deb===>gpgconf_2.2.27-2+deb11u2_amd64.deb', 'gpgsm_2.2.27-2+deb11u1_amd64.deb===>gpgsm_2.2.27-2+deb11u2_amd64.deb', 'gpgv_2.2.27-2+deb11u1_amd64.deb===>gpgv_2.2.27-2+deb11u2_amd64.deb', 'gpg-wks-client_2.2.27-2+deb11u1_amd64.deb===>gpg-wks-client_2.2.27-2+deb11u2_amd64.deb', 'gpg-wks-server_2.2.27-2+deb11u1_amd64.deb===>gpg-wks-server_2.2.27-2+deb11u2_amd64.deb']