[Announce] [security fix] Libgcrypt and GnuPG

Andreas Metzler ametzler at bebt.de
Sat Aug 9 11:32:10 CEST 2014

Werner Koch <wk at gnupg.org> wrote:
> While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed
> to describe [2] a software combination which has not been fixed and is
> thus vulnerable to the attack described by the paper.  If you are using
>   gpg2 --version

> on the command line; the second line of the output gives the Libgcrypt
> version:

>   gpg (GnuPG) 2.0.25
>   libgcrypt 1.5.3

> In this example Libgcrypt is vulnerable.
[ and 1.5.4 is not ... ]


libgcrypt 1.5.3 -> 1.5.4 seem to be essentiall 5 git commits. - Is
the bugfix in a single commit, and if it is which one?

thanks, cu Andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gcrypt-devel mailing list