Security News > 2021 > January > GnuPG crypto library can be pwned during decryption – patch now!

GnuPG crypto library can be pwned during decryption – patch now!
2021-01-31 02:12

Bug hunter Tavis Ormandy of Google's Project Zero just discovered a dangerous bug in the GNU Privacy Guard team's libgcrypt encryption software.

The libgcrypt library is an open-source toolkit that anyone can use, but it's probably best known as the encryption library used by the GNU Privacy Guard team's own widely deployed GnuPG software.

There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code.

The second piece of good news is that libgcrypt isn't as widely used as other open-source cryptographic libraries such as OpenSSL and LibreSSL, so fewer third-party programs rely on it.

The third piece of good news is that most third-party software that uses libgcrypt seems to use the shared library that's provided by your distro, rather than compiling a copy of the libgcrypt code into the product itself.

A brief though incomplete list of software on our own system that uses libgcrypt includes: Akonadi, Audacity, FFmpeg, Geeqie, the GPG suite itself, numerous KDE tools, Qemu, the RPM Package Manager and Wireshark.


News URL

https://nakedsecurity.sophos.com/2021/01/31/gnupg-crypto-library-can-be-pwned-during-decryption-patch-now/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Gnupg 4 2 12 17 2 33