Security hole in GnuPG
GnuPG's developers have released a new package to close security holes through which attackers can plant code using rigged emails. The flaw could be trigged through both encrypted and even signed emails.
By manipulating OpenPGP packets, attackers could modify and dereference the function pointer. GnuPG processes OpenPGP packets with filters that communicate among themselves, via what are known as context structures. The data flow into the filter is not always broken off before the context structure is deallocated. That means that the filter sometimes accesses a de-allocated context structure--and that structure includes a pointer to encryption algorithms. A carefully prepared OpenPGP message could be used by an attacker to control that function pointer and the program code to which it then jumps.
Project director Werner Koch indicates that all GnuPG versions prior to 1.4.6 and 2.0.2 are vulnerable. Current source code and Windows packages are available for download on the project's homepage; Linux distributors have also begun distributing new versions. Koch recommends that all GnuPG users switch to the new version as soon as possible.
- GnuPG: remotely controllable function pointer, security advisory from Werner Koch
- Download the current GnuPG package