Tavis Ormandy of the Gentoo security team identified a severe and
exploitable bug in the processing of encrypted packets in GnuPG.

sing malformed OpenPGP packets an attacker is able to modify and
dereference a function pointer in GnuPG. This is a remotely
exploitable bug and affects any use of GnuPG where an attacker can
control the data processed by GnuPG. It is not necessary limited to
encrypted data, also signed data may be affected.

Affected versions: All versions of GnuPG < 1.4.6
All versions of GnuPG-2 < 2.0.2
All beta versions of GnuPG-2 (1.9.0 .. 1.9.95)
Affected tools: gpg, gpgv, gpg2 and gpgv2.
Affected platforms: All.

gpg-agent, gpgsm as well as other tools are not affected.

Solution
========

If you are using a vendor supplied version of GnuPG:

* Wait for an update from your vendor. Vendors have been informed on
Saturday December 2, less than a day after this bug has been reported.

If you are using GnuPG 1.4:

* Update as soon as possible to GnuPG 1.4.6. It has been uploaded to
the usual location: ftp.gnupg.org This version
was due to be released anyway this week. See
www.gnupg.org for details.

* Or: As another and less intrusive option, apply the attached patch
to GnuPG 1.4.5. This is the smallest possible fix.

If you are using GnuPG 2.0:

* Apply the attached patch against GnuPG 2.0.1. [ www.kfwebs.com ]

* Or: Stop using gpg2 and gpgv2, install GnuPG 1.4.6 and use gpg and gpgv
instead.

If you are using a binary Windows version of GnuPG:

* A binary version of GnuPG 1.4.6 for Windows is available as usual.

* Gpg4win 1.0.8, including GnuPG 1.4.6, is available. Please go to
www.gpg4win.org .

Background at lists.gnupg.org