CVE-2020-25125: 
NixOS vulnerability analysis and mitigation

CVE-2020-25125 is a critical security vulnerability affecting GnuPG 2.2.21, 2.2.22, and Gpg4win 3.1.12. The vulnerability was discovered in September 2020 and involves an array overflow that occurs when a victim imports an attacker's OpenPGP key containing AEAD preferences. The overflow is specifically caused by an error in the g10/key-check.c file. Notably, GnuPG 2.3.x and versions prior to 2.2.21 were not affected by this vulnerability, and it was fixed in GnuPG 2.2.23 (GnuPG Announce, NVD).

The vulnerability is characterized as a buffer overflow vulnerability with a CVSS v3.1 Base Score of 7.8 (HIGH). The attack vector is local (AV:L), with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is unchanged (S:U), with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The technical implementation of the exploit is constrained by the fact that an attacker can only control every second byte, with the first byte being fixed at a value of 0x04 (NVD, GnuPG Bug).

When exploited, the vulnerability can lead to a crash or potentially other unspecified impacts when a victim imports an attacker's OpenPGP key. While software distribution verification systems using curated key lists were not affected, the vulnerability could be triggered by importing arbitrary keys, making it a significant security concern for general users (GnuPG Announce).

The primary mitigation is to update to GnuPG version 2.2.23 or later. For users unable to update, applying the patch available at https://dev.gnupg.org/rGaeb8272ca8aad403a4baac33b8d5673719cfd8f0 was provided as an alternative solution. Gpg4win users were advised to either wait for a fixed release or install GnuPG version 2.2.23 on top of their existing installation (GnuPG Announce).