Huge Vulnerability in GPG
GPG is an open-source version of the PGP e-mail encryption protocol. Recently, a very serious vulnerability was discovered in the software: given a signed e-mail message, you can modify the message — specifically, you can prepend or append arbitrary data — without disturbing the signature verification.
It appears this bug has existed for years without anybody finding it.
Moral: Open source does not necessarily mean “fewer bugs.” I wrote about this back in 1999.
UPDATED TO ADD (3/13): This bug is fixed in Version 1.4.2.2. Users should upgrade immediately.
Anonymous • March 13, 2006 7:08 AM
At least it was found now; no corporation has an incentive to hide that the bug exists and how long; and bugs in open source security software happen by accident, not purpose.