There is a serious heap buffer overflow vulnerability in version 1.9.0 of the Libgcrypt cryptographic library that can be triggered simply by decrypting a block of data.
The vulnerability only affects the on version and the developers of Libgcrypt have removed the vulnerable version from the download servers and released a new version that has a fix, version 1.9.1. However, the bug is very easy to exploit and the result of triggering it is that an attacker would be able to write arbitrary data to the target machine. Researcher Tavis Ormandy of Google Project Zero discovered the flaw and reported it to the Libgcrypt developers, who pushed out a patch within a day.
“There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs,” Ormandy said in his report to the Libgcrypt developers.
The vulnerability was first introduced about two years ago during the development of version 1.9 of Libgcrypt but was only identified this week by Ormandy. Libgcrypt is a general cryptographic library that provides the building blocks for performing cryptographic functions in software. It’s used in a variety of applications, with GnuPG being the most well-known, as the Libgcrypt library was built on GnuPG code.
Any developers that have Libgcrypt 1.9.0 in their apps should update as soon as possible.
“Exploiting this bug is simple and thus immediate action for 1.9.0 users is required,” the announcement from the Libgcrypt developers says.