GnuPG is vulnerable to an integer overflow that could lead to the execution of arbitrary code.
| Package | app-crypt/gnupg on all architectures | 
|---|---|
| Affected versions | < 1.4.5 | 
| Unaffected versions | >= 1.4.5 | 
The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software.
Evgeny Legerov discovered a vulnerability in GnuPG that when certain packets are handled an integer overflow may occur.
By sending a specially crafted email to a user running an affected version of GnuPG, a remote attacker could possibly execute arbitrary code with the permissions of the user running GnuPG.
There is no known workaround at this time.
All GnuPG users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose "=app-crypt/gnupg-1.4*"
      Release date
      
      August 05, 2006
    
      Latest revision
      
      August 08, 2006: 02
    
      Severity
      
      high
    
      Exploitable
      
      remote
    
Bugzilla entries