CVE-2013-4351

Publication date 13 September 2013

Last updated 24 July 2024

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg	13.04 raring	Fixed 1.4.12-7ubuntu1.2
	12.10 quantal	Fixed 1.4.11-3ubuntu4.3
	12.04 LTS precise	Fixed 1.4.11-3ubuntu2.4
	10.04 LTS lucid	Fixed 1.4.10-2ubuntu1.4
gnupg2	13.04 raring	Fixed 2.0.19-2ubuntu1.1
	12.10 quantal	Fixed 2.0.17-2ubuntu3.2
	12.04 LTS precise	Fixed 2.0.17-2ubuntu2.12.04.3
	10.04 LTS lucid	Ignored

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1987-1
GnuPG vulnerabilities
9 October 2013

Other references

http://www.openwall.com/lists/oss-security/2013/09/13
https://www.cve.org/CVERecord?id=CVE-2013-4351