10 matches found
CVE-2001-0522
The CVE-2001-0522 issue concerns GnuPG (GPG) versions 1.0.5 and earlier, where a format-string vulnerability in the do_get/tty_printf flow exposes the original encrypted-file filename to format-string processing. This can allow code execution with the privileges of the user decrypting the file. T...
CVE-2006-0455
CVE-2006-0455 concerns GnuPG’s gpgv tool (and gpg --verify) emitting a false success exit code for malformed or detached signatures. Affects GnuPG prior to 1.4.2.1; the issue can allow automated scripts to falsely assume verification succeeded. The risk is described as a local attack vector with ...
CVE-2006-6235
The CVE-2006-6235 vulnerability is a stack overwrite flaw in GnuPG (gpg) affecting 1.x versions before 1.4.6, 2.x before 2.0.2, and 1.9.0–1.9.95. A crafted OpenPGP packet can cause GnuPG to dereference a function pointer from deallocated stack memory, enabling arbitrary code execution. Multiple a...
CVE-2006-0049
GnuPG (gnupg) prior to 1.4.2.2 is affected by CVE-2006-0049: it does not properly verify non-detached or inline signatures, allowing an attacker to inject unsigned data into a checked message and have the signature appear valid. Several advisories (Ubuntu USN-264-1, CentOS/CESA-2006:0266, Mandrak...
CVE-2003-0971
GnuPG (GPG) versions 1.0.2 through 1.2.3 are affected by an ElGamal sign+encrypt issue where the same key component is used for encryption and signing. The root cause is the construction of ElGamal type 20 keys, which allows an attacker to determine the private key from a signature. The connected...
CVE-2003-0255
GnuPG contains a vulnerability (CVE-2003-0255) where the key validation logic in versions prior to 1.2.2 incorrectly determines the validity of keys with multiple user IDs, effectively assigning the highest trust value to all UIDs on a key. This can prevent warning prompts when encrypting to a ke...
CVE-2001-0072
CVE-2001-0072 is confirmed via multiple connected sources: GnuPG 1.0.4 and related versions import private keys when importing public keys from key servers without notifying the user, potentially corrupting the user’s web of trust. The Mandrake advisory MDKSA-2000:087 notes this behavior and indi...
CVE-2001-0071
CVE-2001-0071 affects GnuPG (gpg) 1.0.4 and other versions, where the software does not properly verify detached signatures. This is reported to allow an attacker to modify the contents of a file without detection. The connected documents confirm the affected component and the underlying issue bu...
CVE-2003-0978
CVE-2003-0978 affects the GnuPG client’s gpgkeys_hkp implementation (experimental HKP interface). The vulnerability is a format string issue that can be triggered during key retrieval, potentially allowing a remote attacker or a malicious keyserver to crash the client and, in some scenarios, exec...
CVE-2000-0974
CVE-2000-0974 concerns GnuPG (gpg) 1.0.3 and earlier versions, which fail to properly verify all signatures in a file containing multiple documents. The underlying flaw allows an attacker to modify the contents of all documents after the first without detection, as described in the CVE entry and ...