After reading this article I was wondering is GPG4Win 3.1.15 affected? If so can we just copy over the updated file?
https://thehackernews.com/2021/01/google-discloses-severe-bug-in.html
Hi Mark,
no Gpg4win 3.1.15 is fine (and not affected)
because it uses the libgcrypt version 1.8.7.
Details:
It contains GnuPG 2.2.27
(The file packages.current from the git tag “gpg4win-3.1.15” has the precise versions used for the build:
name gnupg-w32-2.2.27-20210111-bin.exe
file binary/gnupg-w32-2.2.27_20210111.exe
chk 5d89e239790822711eae2899467a764879d21440ab68e9413452fa96cedeba50
)
and GnuPG 2.2.27 was released before libgcrypt 1.9.0 (the vulnerable version).
It stilll needs the 1.8.x version of libgcrypt configure.ac:NEED_LIBGCRYPT_VERSION=1.8.0)
You can see the used version in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg-doc.git;a=blob;f=web/swdb.mac;h=785ca556a4649bbe81ba8e91cf156d620f65f036;hb=7da27041da50080720a58b4cbb2dc972a0e8481f
Best Regards,
Bernhard
ps.: The news article is very short and thus does not report on the detail that usually it takes a while until a new major version of a library is picked up and goes into production. As the fix was coming within a few days
and was in a library, we believe that the window of exposure was (fortunately) limited and did not affect many installations.