Werner Koch

**Name of the Vulnerable Software and Affected Versions** GnuPG versions 1.4.x through 1.4.15 GnuPG versions 2.0.x through 2.0.22 gnupg2 versions 2.0.10 through 2.0.14 gnupg2-debuginfo versions 2.0.10 through 2.0.14 gnupg2-smime versions 2.0.14 **Description** The issue affects the compressed packet parser in GnuPG, allowing remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. This can lead to a disruption of integrity and availability of protected information. The exploitation of the vulnerabilities can be carried out remotely. **Recommendations** For GnuPG versions 1.4.x through 1.4.15, update to version 1.4.15 or later. For GnuPG versions 2.0.x through 2.0.22, update to version 2.0.22 or later. For gnupg2 versions 2.0.10 through 2.0.14, update to a version later than 2.0.14. For gnupg2-debuginfo versions 2.0.10 through 2.0.14, update to a version later than 2.0.14. For gnupg2-smime versions 2.0.14, update to a version later than 2.0.14.

**Name of the Vulnerable Software and Affected Versions** GnuPG versions 1.4 and 2.0 **Description** The issue is related to multiple vulnerabilities in the GnuPG package, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, a heap-based buffer overflow in the `ask outfile name` function in `openfile.c` for GnuPG, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions. **Recommendations** For GnuPG versions 1.4 and 2.0, consider disabling the `ask outfile name` function in `openfile.c` to minimize the risk of exploitation until a patch is available. Restrict access to the `make printable string` function to prevent attackers from executing arbitrary code.