Libgcrypt 1.9.0 has a severe flaw related to security and is not safe to use, according to its author Werner Koch.
Libgcrypt is a cryptographic library for general purposes that is widely used by GNU Privacy Guard (GnuPG), a free encryption program, as well as other cryptographic software.
Libgcrypt 1.9.0 was released to the public on 19th of January and was planned to be included in the next GnuPG 2.3 update.
Just a few days after the release, the latest version of the library, namely 1.9.0, has been detected with a serious vulnerability that puts the users’ security at risk and can be triggered just by decrypting a block of data.
This announcement was published on Friday, 29th of January, by Werner Koch, the main developer of GnuPG, and Libgcrypt’s writer. According to his publication, “a severe bug was reported against Libgcrypt 1.9.0”. In relation to this, all users were asked to stop using this version and to get the new patched version 1.9.1, as well as the patches for a few more build problems.
Koch also noted that the vulnerable edition is being used for Fedora 34 (scheduled for release in April 2021) and Gentoo Linux. The detected bug just affects the 1.9.0 version and Libgcrypt’s developers have already deleted it from the download servers.
More details regarding the crucial flaw reveal that it stems from a heap buffer overflow caused by an incorrect assumption in the block buffer management code. Koch noted that it is very easy to exploit this vulnerability. It allows for an intruder to write arbitrary code to the targeted computer. Therefore, all 1.9.0 users should take immediate actions and update to version 1.9.1 to prevent potential security issues. All developers that use Libgcrypt 1.9.0 in their applications should also get the patched version as soon as possible.