Joined: 12 May 2004
|Posted: Sat Oct 22, 2011 5:26 am Post subject: [ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitra
|Gentoo Linux Security Advisory
Title: GnuPG: User-assisted execution of arbitrary code (GLSA 201110-15)
Date: October 22, 2011
The GPGSM utility included in GnuPG contains a use-after-free
vulnerability that may allow an unauthenticated remote attacker to execute
The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of
cryptographic software. The GPGSM utility in GnuPG is responsible for
processing X.509 certificates, signatures and encryption as well as
Vulnerable: < 2.0.16-r1
Unaffected: >= 2.0.16-r1
Unaffected: < 2.0
Architectures: All supported architectures
The GPGSM utility in GnuPG contains a use-after-free vulnerability that
may be exploited when importing a crafted X.509 certificate explicitly or
during the signature verification process.
An unauthenticated remote attacker may execute arbitrary code with the
privileges of the user running GnuPG by enticing them to import a crafted
There is no known workaround at this time.
All GnuPG 2.x users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.16-r1"