oss-sec mailing list archives

Re: Many vulnerabilities in GnuPG

From: Neal Gompa <ngompa13 () gmail com>
Date: Mon, 29 Dec 2025 05:46:14 -0500

On Sun, Dec 28, 2025 at 9:51 PM Demi Marie Obenour
<demiobenour () gmail com> wrote:


On 12/28/25 05:00, Sam James wrote:

Demi Marie Obenour <demiobenour () gmail com> writes:

https://gpg.fail lists many vulnerabilities in GnuPG, one of which
allows remote code execution.

All are zero-days to the best of my knowledge.


In 2.5.14:


Fedora isn't running 2.5.14 even in Rawhide.  It's a zero-day for
Fedora users at least.

Upstream GnuPG is increasingly unwilling to collaborate with other
OpenPGP implementations, and distros are having to patch GnuPG just to
restore interoperability.  If possible, it would be best for distros
to either outright fork the project and create a new upstream, or stop
packaging GnuPG entirely in favor of Sequoia's compatibility layer.


The Fedora Linux family of distributions already doesn't use GnuPG in
the critical path anymore. RPM and DNF have been switched to
SequoiaPGP for quite some time. That change was inherited by Red Hat
Enterprise Linux 10 as well.

This is why we have PQC support in our PGP stuff.



-- 
真実はいつも一つ！/ Always, there's only one truth!

Current thread:

Re: Many vulnerabilities in GnuPG, (continued)
- - - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 30)
    - Re: Many vulnerabilities in GnuPG Henrik Ahlgren (Dec 30)
    - Re: Many vulnerabilities in GnuPG Collin Funk (Dec 30)
    - Re: Many vulnerabilities in GnuPG Peter Gutmann (Dec 31)
    - Re: Many vulnerabilities in GnuPG Jacob Bachmeyer (Dec 30)
- Re: Many vulnerabilities in GnuPG Sam James (Dec 28)
  - Re: Many vulnerabilities in GnuPG Jeffrey Walton (Dec 28)
  - Re: Many vulnerabilities in GnuPG Demi Marie Obenour (Dec 28)
    - Re: Many vulnerabilities in GnuPG Stephan Verbücheln (Dec 29)
    - Re: Many vulnerabilities in GnuPG Alan Coopersmith (Dec 30)
    - Re: Many vulnerabilities in GnuPG Neal Gompa (Dec 29)