This CVE was triaged against libgrypt only - not against gnupg1 - and all the upstream CVE trackers only seem to reference this CVE against libgcrypt. I can see the mention of CVE-2017-7526 on their homepage for GnuPG 1.4.23, however looking at the changes for 1.4.23 I can see no commits that appear relevant to this CVE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=shortlog;h=refs/heads/STABLE-BRANCH-1-4
However, if we look at the changes that went into 1.4.22 then there are a bunch of changes which look analogous to the ones for libgrypt for CVE-2017-7526:
Thanks for reporting this - FYI you can see the status of each CVE via the CVE tracker http:// people. canonical. com/~ubuntu- security/ cve/
ie.
https:/ /people. canonical. com/~ubuntu- security/ cve/2017/ CVE-2017- 7526.html
This CVE was triaged against libgrypt only - not against gnupg1 - and all the upstream CVE trackers only seem to reference this CVE against libgcrypt. I can see the mention of CVE-2017-7526 on their homepage for GnuPG 1.4.23, however looking at the changes for 1.4.23 I can see no commits that appear relevant to this CVE: https:/ /git.gnupg. org/cgi- bin/gitweb. cgi?p=gnupg. git;a=shortlog; h=refs/ heads/STABLE- BRANCH- 1-4
However, if we look at the changes that went into 1.4.22 then there are a bunch of changes which look analogous to the ones for libgrypt for CVE-2017-7526:
https:/ /git.gnupg. org/cgi- bin/gitweb. cgi?p=gnupg. git;a=commit; h=b38f4489f75e6 e435886aa885807 738a22c7ff60 /git.gnupg. org/cgi- bin/gitweb. cgi?p=gnupg. git;a=commit; h=12029f83fd0ab 3e8ad524f6c9135 854662fddfd1 /git.gnupg. org/cgi- bin/gitweb. cgi?p=gnupg. git;a=commit; h=554ded4854758 bf6ca268432fa08 7f946932a409 /git.gnupg. org/cgi- bin/gitweb. cgi?p=gnupg. git;a=commit; h=8fd9f72e1b2e5 78e45c98c978cab 4f6d47683d2c
https:/
https:/
https:/
Also I can't see any release annoucements for 1.4.22 or 1.4.23 in gnupg-announce either which is unfortunate.
I will retriage this against gnupg1 as well and this will be fixed soon.