Developers behind the Libgcrypt software have deployed urgent fixes for a serious security vulnerability in the tool. Exploiting the flaw allows heap buffer overflow with malicious data from an adversary.
Libgcrypt Software Vulnerability
Google Project Zero security researcher Tavis Ormandy has publicly disclosed a critical vulnerability in Libgcrypt software.
Libgcrypt is basically a cryptographic library based on GNU Privacy Guard (GnuPG) code. It can serve as a separate GnuPG module or independently. Though, it relies on the GnuPG ‘libgpg-error’ error-reporting library.
Describing the details in a bug report, Ormandy stated that heap buffer overflow existed in the block buffer management code.
There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs.
He further stated that an adversary could easily exploit the bug.
It means that the vulnerability posed a serious threat to all users and required immediate attention.
Patch Released Immediately
Right after receiving the bug report, the Libgcrypt developers warned all users to instantly stop using the tool. As stated in their announcement,
A severe bug was reported yesterday evening against Libgcrypt 1.9.0 which we released last week.
In the meantime please stop using 1.9.0.
Besides, they rushed to develop a fix for the vulnerability. They then released the patch with a new version within few hours of the report.
So now, all those using Libgcrypt 1.9.0 should rush to update to the latest version 1.9.1. It not only includes the bug fix but also brings other improvements with it that the team has mentioned in detail in this advisory.
The developer Werner Koch has also confirmed that the critical vulnerability specifically affected version 1.9.0 only. It does not affect any other versions including the older ones.
If you are using the 1.8 LTS branch you are not affected. While you are checking anyway please make sure that you have at least 1.8.5.
Nonetheless, since the patch is out, upgrading to the latest version is essential.