A severe vulnerability found in Libgcrypt and recommended not to use.
Libgcrypt 1.9.0 Vulnerability
Tavis Ormandy of Project Zero, discovered a flaw affects version 1.9.0 of libgcrypt.
Libgcrypt 1.9.0, the newest version of a cryptographic library integrated in the GNU Privacy Guard (GnuPG) free encryption software.
About the vulnerability, Koch did not explain the nature of the reported vulnerability and warned not to the version.
Libgcrypt 1.9.0 Vulnerability — a heap buffer overflow due to an incorrect assumption in the block buffer management code.
However, Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature validated before the vulnerability occurs.
“Exploiting this bug is simple and thus immediate action for 1.9.0 users is required,” Koch noted.
Further added, “The 1.9.0 tarballs on our FTP server have been renamed so that scripts won’t be able to get this version anymore.”
Also, Fedora 34 (scheduled to be released in April 2021) and Gentoo Linux are already using the vulnerable version.
No other Libgcrypt versions affected.
Also, the newer version with a fix (as well as fixes for a couple build problems) will be released later — he mentioned.
Version 1.9.1, which fixes the flaw, is available for download.