Forum: help-en

Monitor Forum | Start New Thread Start New Thread
RE: Libgcrypt vulnerability [ Reply ]
By: Bernhard Reiter on 2021-02-02 08:24
[forum:7681]
Hi Mark,

no Gpg4win 3.1.15 is fine (and not affected)
because it uses the libgcrypt version 1.8.7.

## Details:

It contains GnuPG 2.2.27
(The file packages.current from the git tag "gpg4win-3.1.15" has the precise versions used for the build:
name gnupg-w32-2.2.27-20210111-bin.exe
file binary/gnupg-w32-2.2.27_20210111.exe
chk 5d89e239790822711eae2899467a764879d21440ab68e9413452fa96cedeba50
)
and GnuPG 2.2.27 was released before libgcrypt 1.9.0 (the vulnerable version).
It stilll needs the 1.8.x version of libgcrypt configure.ac:NEED_LIBGCRYPT_VERSION=1.8.0)


You can see the used version in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg-doc.git;a=blob;f=web/swdb.mac;h=785ca556a4649bbe81ba8e91cf156d620f65f036;hb=7da27041da50080720a58b4cbb2dc972a0e8481f

Best Regards,
Bernhard
ps.: The news article is very short and thus does not report on the detail that usually it takes a while until a new major version of a library is picked up and goes into production. As the fix was coming within a few days
and was in a library, we believe that the window of exposure was (fortunately) limited and did not affect many installations.

Libgcrypt vulnerability [ Reply ]
By: Mark W on 2021-02-01 19:44
[forum:7680]
After reading this article I was wondering is GPG4Win 3.1.15 affected? If so can we just copy over the updated file?

https://thehackernews.com/2021/01/google-discloses-severe-bug-in.html