Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:10 relevant versions.
GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs."
gnupg2 to version 2.0.9-1 or higher.
- Debian Security Tracker
- Secunia Advisory
- Security Focus
- X-force Vulnerability Report