CVETag
ActivePublic
Watch Project

Members

This project does not have any members.
View All

Watchers

This project does not have any watchers.
View All

Details

Description

This bug has an associated CVE id.

Such bugs often have restricted access before the publication. Take care that this bug tracker does not yet encrypt mails to subscribers, so for highly sensitive issues take care what you comment in the report while it is still restricted.

Recent Activity
View All

Thu, Feb 12

• werner lowered the priority of T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` from Unbreak Now! to Normal.

Thu, Feb 12, 11:14 AM · gnupg26, CVE, TPM, Bug Report

• gniibe added a comment to T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT`.

The fix causes a regression. Reported: https://lists.gnupg.org/pipermail/gnupg-devel/2026-February/036218.html

Thu, Feb 12, 2:49 AM · gnupg26, CVE, TPM, Bug Report

• gniibe reopened T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` as "Open".

This is not 2.5-only.

Thu, Feb 12, 2:48 AM · gnupg26, CVE, TPM, Bug Report

Sun, Feb 1

ametzler1 added a comment to T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT`.

CVE-2026-24882 has been assigned to this issue.

Sun, Feb 1, 4:45 PM · gnupg26, CVE, TPM, Bug Report

Tue, Jan 27

• werner set External Link to https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html on T7996: Release GnuPG 2.5.17 (security).

Tue, Jan 27, 5:52 PM · CVE, gnupg, Release Info

• werner closed T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` as Resolved.

Tue, Jan 27, 5:18 PM · gnupg26, CVE, TPM, Bug Report

• werner changed the visibility for T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT`.

Tue, Jan 27, 5:12 PM · gnupg26, CVE, TPM, Bug Report

• werner closed T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM as Resolved.

Tue, Jan 27, 5:12 PM · CVE, gnupg26, gpgagent, Bug Report

• werner changed the visibility for T7996: Release GnuPG 2.5.17 (security).

Tue, Jan 27, 5:11 PM · CVE, gnupg, Release Info

• werner added a comment to T7996: Release GnuPG 2.5.17 (security).

This is a security update

Tue, Jan 27, 3:47 PM · CVE, gnupg, Release Info

• werner renamed T7996: Release GnuPG 2.5.17 (security) from Release GnuPG 2.5.17 to Release GnuPG 2.5.17 (security).

Tue, Jan 27, 3:44 PM · CVE, gnupg, Release Info

• ebo moved T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` from Backlog to Done on the gnupg26 board.

Tue, Jan 27, 2:34 PM · gnupg26, CVE, TPM, Bug Report

• ebo edited projects for T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT`, added: gnupg26; removed gnupg.

Tue, Jan 27, 2:33 PM · gnupg26, CVE, TPM, Bug Report

• ebo moved T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM from Backlog to Done on the gnupg26 board.

Tue, Jan 27, 2:31 PM · CVE, gnupg26, gpgagent, Bug Report

Sun, Jan 25

• werner changed the status of T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` from Open to Testing.

Sun, Jan 25, 5:02 PM · gnupg26, CVE, TPM, Bug Report

Jan 22 2026

• gniibe renamed T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` from Security (internal) - Stack-based buffer overflow in TPM2 `PKDECRYPT` to Stack-based buffer overflow in TPM2 `PKDECRYPT`.

Jan 22 2026, 12:33 AM · gnupg26, CVE, TPM, Bug Report

Jan 21 2026

• werner shifted T8045: Stack-based buffer overflow in TPM2 `PKDECRYPT` from the Restricted Space space to the S1 Public space.

Jan 21 2026, 12:40 PM · gnupg26, CVE, TPM, Bug Report

• werner shifted T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM from the Restricted Space space to the S1 Public space.

Jan 21 2026, 12:23 PM · CVE, gnupg26, gpgagent, Bug Report

• werner changed the status of T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM from Open to Testing.

Jan 21 2026, 10:20 AM · CVE, gnupg26, gpgagent, Bug Report

Jan 20 2026

• werner claimed T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM.

Jan 20 2026, 2:44 PM · CVE, gnupg26, gpgagent, Bug Report

• werner added a comment to T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM.

I have this fix committed to my working directory:

Jan 20 2026, 12:54 PM · CVE, gnupg26, gpgagent, Bug Report

• werner added a project to T8044: gpg-agent stack buffer overflow in pkdecrypt using KEM: CVE.

We have no CVE yet. However, CVE is also a good tag for security bugs,

Jan 20 2026, 12:18 PM · CVE, gnupg26, gpgagent, Bug Report

Dec 22 2022

• werner added a project to T6284: Another integer overflow in Libksba: CVE.

This bug is CVE-2022-47629

Dec 22 2022, 10:48 AM · CVE, Bug Report, libksba

Dec 6 2022

• werner updated the task description for T6230: Release Libksba 1.6.2 (CVE-2022-3515).

Dec 6 2022, 2:23 PM · CVE, Release Info, libksba

Oct 28 2022

• werner closed T5947: Release GnuPG 2.3.7 as Resolved.

Oct 28 2022, 4:05 PM · CVE, Release Info, gnupg (gpg23)

Oct 18 2022

• werner closed T6230: Release Libksba 1.6.2 (CVE-2022-3515) as Resolved.

Oct 18 2022, 7:52 AM · CVE, Release Info, libksba

Oct 17 2022

• werner added a comment to T6230: Release Libksba 1.6.2 (CVE-2022-3515).

Fixed Gpg4win version: https://lists.wald.intevation.org/pipermail/gpg4win-announce/2022/000098.html

Oct 17 2022, 3:03 PM · CVE, Release Info, libksba

• werner set External Link to https://gnupg.org/blog/20221017-pepe-left-the-ksba.html on T6230: Release Libksba 1.6.2 (CVE-2022-3515).

Oct 17 2022, 9:26 AM · CVE, Release Info, libksba

• werner added a comment to T6230: Release Libksba 1.6.2 (CVE-2022-3515).

As usual see https://gnupg.org/download for links to the latest packages. For Gpg4win see https://gpg4win.org

Oct 17 2022, 9:25 AM · CVE, Release Info, libksba

• werner reopened T6230: Release Libksba 1.6.2 (CVE-2022-3515) as "Open".

Oct 17 2022, 7:56 AM · CVE, Release Info, libksba

• werner renamed T6230: Release Libksba 1.6.2 (CVE-2022-3515) from Release Libksba 1.6.2 to Release Libksba 1.6.2 (CVE-2022-3515).

Oct 17 2022, 7:56 AM · CVE, Release Info, libksba

• werner updated the task description for T6230: Release Libksba 1.6.2 (CVE-2022-3515).

Oct 17 2022, 7:46 AM · CVE, Release Info, libksba

Oct 11 2022

• werner added a project to T6230: Release Libksba 1.6.2 (CVE-2022-3515): CVE.

Oct 11 2022, 10:43 AM · CVE, Release Info, libksba

Jul 29 2022

bernhard added a comment to T5947: Release GnuPG 2.3.7.

As 2.3.7 was released on the 11th of July, see https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
I guess that this issue should be closed and some issues moved to one with 2.3.8.

Jul 29 2022, 2:55 PM · CVE, Release Info, gnupg (gpg23)

Jul 26 2022

• werner closed T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high) as Resolved.

Jul 26 2022, 9:17 PM · gnupg (gpg22), CVE, gpg4win

• werner updated the task description for T5947: Release GnuPG 2.3.7.

Jul 26 2022, 7:40 PM · CVE, Release Info, gnupg (gpg23)

• werner closed T5949: Release GnuPG 2.2.36 as Resolved.

Jul 26 2022, 7:34 PM · CVE, gnupg (gpg22), Release Info

• werner updated the task description for T5949: Release GnuPG 2.2.36.

Jul 26 2022, 7:31 PM · CVE, gnupg (gpg22), Release Info

Apr 7 2022

• werner added a comment to T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high).

Updated the copy on our mirror as welll as the gpg4win and swdb packages files.

Apr 7 2022, 11:45 AM · gnupg (gpg22), CVE, gpg4win

Apr 5 2022

• werner lowered the priority of T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high) from Unbreak Now! to High.

The fix is from 2018 but was not picked up widely; see
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

Apr 5 2022, 12:14 PM · gnupg (gpg22), CVE, gpg4win

Mar 17 2022

• werner closed T5880: Old version of Zlib in GnuPG as Resolved.

SWDB updated - thus the latest zlib will be part of the next Windows build.

Mar 17 2022, 8:04 AM · CVE, gnupg (gpg22), gpg4win

Mar 15 2022

• werner raised the priority of T5880: Old version of Zlib in GnuPG from Low to Normal.

All 4 CVEs are findings related to standard conforming compiler optimizations which OTOH break long standing assumptions on C coding. “Let us show that our compiler produces the fastes code ever and ignore any assumptions coders had made over the last 50 year”.

Mar 15 2022, 3:22 PM · CVE, gnupg (gpg22), gpg4win

Sep 14 2021

mdeslaur added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

Thanks for the clarification!

Sep 14 2021, 12:41 PM · side-channel, CVE, libgcrypt

• gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

The problem of (2), is local side-channel attacks to ElGamal encryption.
We evaluated the impact, mainly for the use case of GnuPG; ElGamal keys are not that popular any more. When such an attack is possible, easier attacks would be possible.

Sep 14 2021, 7:52 AM · side-channel, CVE, libgcrypt

• gniibe added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

The paper addresses two issues.
(1) https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
(2) https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2

Sep 14 2021, 7:46 AM · side-channel, CVE, libgcrypt

Sep 13 2021

mdeslaur added a comment to T5328: On the (in)security of Elgamal in OpenPGP.

I looks like the "cipher: Hardening ElGamal by introducing exponent blinding too." commit [1] was never applied to 1.8.x. Is that intentional? If so, is there a specific reasoning that it's not needed in 1.8.x? Thanks!

Sep 13 2021, 2:55 PM · side-channel, CVE, libgcrypt

Aug 22 2021

• werner closed T5328: On the (in)security of Elgamal in OpenPGP as Resolved.

Aug 22 2021, 6:13 PM · side-channel, CVE, libgcrypt

Jul 12 2021

• werner set External Link to https://eprint.iacr.org/2021/923.pdf on T5328: On the (in)security of Elgamal in OpenPGP.

Jul 12 2021, 6:11 PM · side-channel, CVE, libgcrypt

Jun 4 2021

• werner lowered the priority of T5328: On the (in)security of Elgamal in OpenPGP from High to Normal.

Jun 4 2021, 7:52 AM · side-channel, CVE, libgcrypt

• werner changed the visibility for T5328: On the (in)security of Elgamal in OpenPGP.

Jun 4 2021, 7:52 AM · side-channel, CVE, libgcrypt