Where can I find details about the plan for further updates of Gpg4win?
I am interested if they would address this CVE-2025-30258
Hi @ISimion,
at least there is Index of /Beta/gpg4win-5.0.0-beta145 which includes the new GnuPG version (as far as I know).
Currently I am trying to see if GnuPG 2.4.7 has CVE-2025-30258 or not. Anyhow it is a vulnerability with a low severity. It may just get fixed with the next release of Gpg4win after the next release in the 2.4.x stable series of GnuPG.
1 Like
Currently I am trying to see if GnuPG 2.4.7 has CVE-2025-30258 or not.
Yes, the branch git.gnupg.org Git - gnupg.git/shortlog has the fix. I’ved asked on gnupg-users@ .
1 Like
This is not a vulnerability. (The CVE is still „awaiting analysis“.)
This situation can only occur if a malicious actor manages to trick you into importing tampered keys.
If this is successful, it may happen that a signature cannot be verified and an error message is displayed. The offending key is displayed and can simply be deleted.
No data is lost or manipulated.
See âš“ T7527 Keyring/keybox denial of service
A new version of Gpg4win Beta 5 is expected to be released within the next two weeks with a fix for this nuisance.
A release date for Gpg4win 4.4.1 has not yet been set, as this is not a critical issue.
1 Like
This is not a vulnerability.
From what you write, it is a vulnerability. Although one with a low to medium CVSS. Redhat gives it 2.7: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L.
(The CVE is still „awaiting analysis“.)
That is a typical status for vulnerabilities which they can have for a long time.
A new version of Gpg4win Beta 5 is expected to be released within the next two weeks with a fix for this nuisance.
Okay, so 5.0.0-beta145 which came out three days after GnuPG 2.5.5 does not have the patch … thanks for the correction.
1 Like
kay, so 5.0.0-beta145 which came out three days after GnuPG 2.5.5 does not have the patch …
or does it? At least the branch got the upgrade to GnuPG 2.5.5 on 2025-03-07.
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=shortlog;h=refs/heads/gpg4win-5-branch
1 Like
When looking into the source package, 5.0.0-beta145 has gnupg-w32-2.5.5_20250307-bin.exe which has the fix. (Also thanks to @eebb for confirmation.)
One more thing about the term vulnerability:
While by common definitions, this defect is a software vulnerability, the low CVSSv3 score (2.7 by Redhat) shows that it is not something which needs a quick fix. Even a CVE number is not really helpful. The reasons are:
- if defects like this get CVE numbers, then many regular improvements in software development would need to get one. Which is too many to be useful. The significant vulnerabilities that must be fixed quickly would be drowned within regular fixes.
- the term vulnerability sometimes triggers the need for a patch or a fast fix out of the regular schedule. Those fixes come with their own risks because of the accelerated development. As we have a low severity thing here, a quick fix is potentially less secure than a regular maintenance release.
In that sense we do not have a vulnerability - as we do not need a quick fix and it is more like a regular defect for which there are many.
2 Likes
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.