In association with heise online

01 April 2008, 14:59

GnuPG 1.4.9 and 2.0.9 fix vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The GnuPG open source encryption software is now available in versions 1.4.9 and 2.09. The latest versions fix a vulnerability that might have allowed arbitrary code to be executed.

According to an oCERT advisory and an entry in the GnuPG bug tracking system, importing keys with duplicate IDs can crash the system. The bug tracker entries by Werner Koch from the GnuPG team explain that this can be traced to a null pointer dereference causing memory corruption. The oCERT researchers who discovered the vulnerability do not exclude the possibility of code being executed as a result, although they have not provided a demonstration.

The GnupG developers claim to have increased the encryption performance of the new versions by 20 percent on x86 architecture. GnuPG users should switch to the updated versions as soon as possible. These are available from project servers and mirrors.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit