Google Discloses Severe Bug in Libgcrypt Encryption Library—Impacting Many Projects

2021-02-01 02:47

A "Severe" vulnerability in GNU Privacy Guard's Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, potentially leading to remote code execution.

The flaw, which affects version 1.9.0 of libgcrypt, was discovered on January 28 by Tavis Ormandy of Project Zero, a security research unit within Google dedicated to finding zero-day bugs in hardware and software systems.

"There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code," Ormandy said.

The Libgcrypt library is an open-source cryptographic toolkit offered as part of GnuPG software suite to encrypt and sign data and communications.

Thus all an attacker needs to do to trigger this critical flaw is to send the library a block of specially-crafted data to decrypt, thus tricking the application into running an arbitrary fragment of malicious code embedded in it or crash a program that relies on the Libgcrypt library.

"Exploiting this bug is simple and thus immediate action for 1.9.0 users is required," Libgcrypt author Werner Koch noted.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/nVPtX4j7gNI/google-discloses-severe-bug-in.html

#encryption #google

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Google		141	996	4895	2855	1622	10368