Huge Vulnerability in GPG
GPG is an open-source version of the PGP e-mail encryption protocol. Recently, a very serious vulnerability was discovered in the software: given a signed e-mail message, you can modify the message -- specifically, you can prepend or append arbitrary data -- without disturbing the signature verification.
It appears this bug has existed for years without anybody finding it.
Moral: Open source does not necessarily mean "fewer bugs." I wrote about this back in 1999.
UPDATED TO ADD (3/13): This bug is fixed in Version 22.214.171.124. Users should upgrade immediately.
Posted on March 13, 2006 at 6:33 AM • 37 Comments