[Announce] [security fix] Libgcrypt and GnuPG

Pete Stephenson pete at heypete.com
Fri Aug 8 23:34:30 CEST 2014

On Fri, Aug 8, 2014 at 12:17 PM, Werner Koch <wk at gnupg.org> wrote:
> Hi!
> While evaluating the "Get Your Hands Off My Laptop" [1] paper I missed
> to describe [2] a software combination which has not been fixed and is
> thus vulnerable to the attack described by the paper.  If you are using
> a GnuPG version with a *Libgcrypt version < 1.6.0*, it is possible to
> mount the described side-channel attack on Elgamal encryption subkeys.
> To check whether you are using a vulnerable Libgcrypt version, enter
>   gpg2 --version
> on the command line; the second line of the output gives the Libgcrypt
> version:
>   gpg (GnuPG) 2.0.25
>   libgcrypt 1.5.3
> In this example Libgcrypt is vulnerable.  If you see 1.6.0 or 1.6.1 you
> are fine.  GnuPG versions since 1.4.16 are not affected because they do
> not use Libgcrypt.

Does this vulnerability apply to gpg4win users?

There's been no gpg4win updates since October of 2013 and there have
been several updates of GnuPG since then. I am somewhat concerned.

Is there any information about when an update for Windows users might
be released?


Pete Stephenson

More information about the Gnupg-users mailing list