CVE-2008-1530 - GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibl

CVE-2008-1530

Summary

GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."

References

Vulnerable Configurations

cpe:2.3:a:gnupg:gnupg:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:gnupg:gnupg:2.0.8:*:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 08-08-2017 - 01:30)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

refmap via4

bid	28487
confirm	https://bugs.g10code.com/gnupg/issue894 https://bugs.gentoo.org/show_bug.cgi?id=214990
misc	http://www.ocert.org/advisories/ocert-2008-1.html
mlist	[Announce] 20080326 GnuPG 1.4.9 released
secunia	29568
vupen	ADV-2008-1056
xf	gnupg-keys-code-execution(41547)

statements via4

contributor	Mark J Cox
lastmodified	2008-03-28
organization	Red Hat
statement	Not vulnerable. This issue does not affect the versions of gnupg packages as shipped with Red Hat Enterprise Linux versions 2.1, 3, 4 or 5.

Last major update

08-08-2017 - 01:30

Published

27-03-2008 - 23:44

Last modified

08-08-2017 - 01:30