New GnuPG version corrects flaw
The developers of the open source PGP alternative GnuPG have released a new version of their encryption software. It closes two further security holes along the lines of those closed off in version 1.4.4.
The vulnerabilities closed by GnuPG 1.4.4 led to an integer overflow during the decryption of overlong user IDs, which resulted in not enough memory being allocated. This in turn led to a denial of service through a program crash. At the time, the developers admitted the possibility that malicious code could be planted using the vulnerability. In announcing GnuPG version 1.4.5, developer Werner Koch described it in this way: the execution of injected code is not completely impossible.
With the previous problems the restriction applied that the flaw only occurred when processing was performed with the --no-armor option in effect. That option signals to GnuPG that it is working with data not in the typical "ASCII-Armored" format. However, Werner Koch has told heise Security that the --no-armor option is not a prerequisite for the occurrence of the newly fixed flaw.
Version 1.4.5 of GnuPG also eliminates another problem that could have occurred during the setting of keys on smartcards. Norwegian users can now also use the program in their mother tongue.
Users of GnuPG should consider an update to the new version because the smuggling in of malicious code cannot be ruled out for the previous versions.
- GnuPG 1.4.5 released (another security fix), Announcement from Werner Koch
- Download of the new version