Gentoo Linux Security Advisory 201402-24 - Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt, which may result in execution of arbitrary code, Denial of Service, or the disclosure of private keys. Versions less than 2.0.22 are affected.
b179c24948b12fd20220e710cd0fc8df88dcb5a2e4985677436d991735781ae4
Red Hat Security Advisory 2013-1459-01 - The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. A denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. It was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use.
66f4f380227d5284e4fe726da477005d273d6e0b0babb21afcad548a7d3c4cc5
Red Hat Security Advisory 2013-1458-01 - The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process could possibly use this flaw to obtain portions of the RSA secret key.
4ed140d307f2bb993d4c7916c9f09e01858d795fc86538c67ede4581485941e0
Slackware Security Advisory - New gnupg2 packages are available for Slackware 13.37, 14.0, and -current to fix security issues. These packages will require the updated libgpg-error package. Related CVE Numbers: CVE-2013-4402.
dda1058a769536c2ddb2b2d2a402ff01901c6e6d245c08d55af69271767b813e
Slackware Security Advisory - New gnupg packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Related CVE Numbers: CVE-2013-4402.
063e6988f3bde3da3e28b4a1c8e9e1bc4231c00ecc5f86bc612cc24d0d7ebb14
Debian Linux Security Advisory 2773-1 - Two vulnerabilities were discovered in GnuPG, the GNU privacy guard, a free PGP replacement.
e077ea3264c37bcd24fbc332abf425b7495d109a8d76e55af9da3f607195c663
Debian Linux Security Advisory 2774-1 - Two vulnerabilities were discovered in GnuPG 2, the GNU privacy guard, a free PGP replacement.
7bbc4f5dc7ed8480336fce6b2293b35a941d9c5286990097f3237cb526b79318
Mandriva Linux Security Advisory 2013-247 - GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared as if it has all bits set, which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. Special crafted input data may be used to cause a denial of service against GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages ad infinitum. The updated packages have been patched to correct this issue.
eb8b68dbe596e9a343773777e3107f217d9e0cde3797f3795ed8c6806caff422
Ubuntu Security Notice 1987-1 - Daniel Kahn Gillmor discovered that GnuPG treated keys with empty usage flags as being valid for all usages. Taylor R Campbell discovered that GnuPG incorrectly handled certain OpenPGP messages. If a user or automated system were tricked into processing a specially-crafted message, GnuPG could consume resources, resulting in a denial of service.
fe6b43115bf990088629c8dd208be6d6502447a5e0f1583e80cfafa294f4b8a3