GnuPG 1.4.9 and 2.0.9 fix vulnerability
The GnuPG open source encryption software is now available in versions 1.4.9 and 2.09. The latest versions fix a vulnerability that might have allowed arbitrary code to be executed.
According to an oCERT advisory and an entry in the GnuPG bug tracking system, importing keys with duplicate IDs can crash the system. The bug tracker entries by Werner Koch from the GnuPG team explain that this can be traced to a null pointer dereference causing memory corruption. The oCERT researchers who discovered the vulnerability do not exclude the possibility of code being executed as a result, although they have not provided a demonstration.
The GnupG developers claim to have increased the encryption performance of the new versions by 20 percent on x86 architecture. GnuPG users should switch to the updated versions as soon as possible. These are available from project servers and mirrors.
- GnuPG 1.4.9 released, Announcement by Werner Koch of the release of the latest versions
- GnuPG memory corruption, oCERT advisory
- segv when importing keys with duplicated ids, Entry in the GnuPG bugtracking system