GnuPG: User-assisted execution of arbitrary code
Gentoo Linux Security Advisory
||GLSA 201110-15 / GnuPG
||October 22, 2011
||October 22, 2011: 1
All supported architectures
The GPGSM utility included in GnuPG contains a use-after-free
vulnerability that may allow an unauthenticated remote attacker to execute
The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of
cryptographic software. The GPGSM utility in GnuPG is responsible for
processing X.509 certificates, signatures and encryption as well as
The GPGSM utility in GnuPG contains a use-after-free vulnerability that
may be exploited when importing a crafted X.509 certificate explicitly or
during the signature verification process.
An unauthenticated remote attacker may execute arbitrary code with the
privileges of the user running GnuPG by enticing them to import a crafted
There is no known workaround at this time.
All GnuPG 2.x users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.0.16-r1"