Huge Vulnerability in GPG
GPG is an open-source version of the PGP e-mail encryption protocol. Recently, a very serious vulnerability was discovered in the software: given a signed e-mail message, you can modify the message—specifically, you can prepend or append arbitrary data—without disturbing the signature verification.
It appears this bug has existed for years without anybody finding it.
Moral: Open source does not necessarily mean “fewer bugs.” I wrote about this back in 1999.
UPDATED TO ADD (3/13): This bug is fixed in Version 1.4.2.2. Users should upgrade immediately.
Anonymous • March 13, 2006 7:08 AM
At least it was found now; no corporation has an incentive to hide that the bug exists and how long; and bugs in open source security software happen by accident, not purpose.