GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array...
Moderate severity
Unreviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Jan 29, 2023
Description
Published by the National Vulnerability Database
Sep 3, 2020
Published to the GitHub Advisory Database
May 24, 2022
Last updated
Jan 29, 2023
GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version.
References