Gentoo Logo

GnuPG: OpenPGP protocol attack


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200503-29 / GnuPG
Release Date March 24, 2005
Latest Revision March 24, 2005: 01
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-crypt/gnupg < 1.4.1 >= 1.4.1 All supported architectures

Related bugreports: #85547


Automated systems using GnuPG may leak plaintext portions of an encrypted message.

2.  Impact Information


GnuPG is complete and free replacement for PGP, a tool for secure communication and data storage.


A flaw has been identified in an integrity checking mechanism of the OpenPGP protocol.


An automated system using GnuPG that allows an attacker to repeatedly discover the outcome of an integrity check (perhaps by observing the time required to return a response, or via overly verbose error messages) could theoretically reveal a small portion of plaintext.

3.  Resolution Information


There is no known workaround at this time.


All GnuPG users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.1"

4.  References


Page updated March 24, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.