Libgcrypt developers release urgent update to tackle severe vulnerability
An open-source cryptographic library service called Libgcrypt is in hot water after a critical vulnerability was reported in their software. The vulnerability lies in the GNU Privacy Gaurd (GnuPG) module, relying on the ‘libgpg-error’ message. However, researchers have reported that the code can be used independently through more complicated means. Libgcrypt released version 1.9.0 of its software on January 19. Google Project Zero researcher Travis Ormandy publicly disclosed the bug on Thursday.
Ormandy called the vulnerability a heap buffer overflow issue that was the result of an incorrect assumption in the block buffer management code. Ormandy also stated that the bug was easily exploitable, explaining how a threat actor could simply decrypt some data to cause the overflow with no verification or signature needed before the flaw is exploited. Libgcrypt has since released version 1.9.1, which addresses the severe vulnerability.