A critical GnuPG security update

by
corbet
from LWN.net on (#734P8)
There is a new GnuPG update for a "critical security bug" in recentGnuPG releases.

A crafted CMS (S/MIME) EnvelopedData message carrying an oversizedwrapped session key can cause a stack buffer overflow in gpg-agentduring the PKDECRYPT--kem=CMS handling. This can easily be usedfor a DoS but, worse, the memory corruption can very likley also beused to mount a remote code execution attack. The bug wasintroduced while changing an internal API to the FIPS required KEMAPI.

Only versions 2.5.13 through 2.5.16 are affected.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments