VulnerableCode Package Details - pkg:deb/debian/gnupg@1.4.12-7%2Bdeb7u7

Search for packages

Vulnerability	Summary	Fixed by
VCID-7hrs-wfbd-bbcf Aliases: CVE-2017-7526	libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.	1.4.18-7+deb8u5 Affected by 0 other vulnerabilities.
VCID-gcbw-63wa-sqhp Aliases: CVE-2016-6313		1.4.18-7+deb8u5 Affected by 0 other vulnerabilities.
VCID-p6xn-vjxt-3qcu Aliases: CVE-2018-12020	mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.	1.4.18-7+deb8u5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7hrs-wfbd-bbcf
Aliases:
CVE-2017-7526

libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used.

1.4.18-7+deb8u5
Affected by 0 other vulnerabilities.

VCID-gcbw-63wa-sqhp
Aliases:
CVE-2016-6313

1.4.18-7+deb8u5
Affected by 0 other vulnerabilities.

VCID-p6xn-vjxt-3qcu
Aliases:
CVE-2018-12020

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.

1.4.18-7+deb8u5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9hja-pfy5-hfh6	The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."	CVE-2015-0837
VCID-jke4-qk8u-8bcm		CVE-2014-5270
VCID-p649-eevs-abhw	Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.	CVE-2014-3591
VCID-vt39-dedw-nkec	The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.	CVE-2015-1606

Vulnerability

Summary

Aliases

VCID-9hja-pfy5-hfh6

The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."

CVE-2015-0837

VCID-jke4-qk8u-8bcm

CVE-2014-5270

VCID-p649-eevs-abhw

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

CVE-2014-3591

VCID-vt39-dedw-nkec

The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file.

CVE-2015-1606

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T10:29:53.195894+00:00	Debian Oval Importer	Affected by	VCID-7hrs-wfbd-bbcf	https://www.debian.org/security/oval/oval-definitions-jessie.xml.bz2	37.0.0
2025-08-01T10:29:46.596890+00:00	Debian Oval Importer	Affected by	VCID-gcbw-63wa-sqhp	https://www.debian.org/security/oval/oval-definitions-jessie.xml.bz2	37.0.0
2025-08-01T10:02:20.540385+00:00	Debian Oval Importer	Affected by	VCID-p6xn-vjxt-3qcu	https://www.debian.org/security/oval/oval-definitions-jessie.xml.bz2	37.0.0
2025-08-01T09:41:48.619469+00:00	Debian Oval Importer	Fixing	VCID-vt39-dedw-nkec	https://www.debian.org/security/oval/oval-definitions-wheezy.xml.bz2	37.0.0
2025-08-01T09:24:47.491309+00:00	Debian Oval Importer	Fixing	VCID-jke4-qk8u-8bcm	https://www.debian.org/security/oval/oval-definitions-wheezy.xml.bz2	37.0.0
2025-08-01T09:21:20.659659+00:00	Debian Oval Importer	Fixing	VCID-9hja-pfy5-hfh6	https://www.debian.org/security/oval/oval-definitions-wheezy.xml.bz2	37.0.0
2025-08-01T09:20:21.573331+00:00	Debian Oval Importer	Fixing	VCID-p649-eevs-abhw	https://www.debian.org/security/oval/oval-definitions-wheezy.xml.bz2	37.0.0