CVE-2025-30258

Publication date 19 March 2025

Last updated 3 April 2025

Ubuntu priority

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gnupg2	24.10 oracular	Fixed 2.4.4-2ubuntu18.2
	24.04 LTS noble	Fixed 2.4.4-2ubuntu17.2
	22.04 LTS jammy	Fixed 2.2.27-3ubuntu2.3
	20.04 LTS focal	Fixed 2.2.19-3ubuntu2.4
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?
Patch details

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
gnupg2	Upstream: https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=48978ccb4e20866472ef18436a32744350a65158 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d3d7713c1799754160260cb350309dd183b397f5 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=25d748c3dfc0102f9e54afea59ff26b3969bd8c1 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=da0164efc7f32013bc24d97b9afa9f8d67c318bb Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=1e581619bf5315957f2be06b3b1a7f513304c126 Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4be25979a6b3e2a79d7c9667b07db8b09fb046e9

Package

Patch details

gnupg2

Upstream: https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=48978ccb4e20866472ef18436a32744350a65158
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=d3d7713c1799754160260cb350309dd183b397f5
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=25d748c3dfc0102f9e54afea59ff26b3969bd8c1
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=da0164efc7f32013bc24d97b9afa9f8d67c318bb
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=1e581619bf5315957f2be06b3b1a7f513304c126
Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4be25979a6b3e2a79d7c9667b07db8b09fb046e9

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-7412-1
GnuPG vulnerability
3 April 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2025-30258
https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html