"Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code"
The Libgcrypt project has rushed out a fix for a critical bug in version 1.9.0 of the free-source cryptographic library. Libgcrypt is a general-purpose cryptographic library for developers to use when building applications. It can be used across Linus, Unix, macOSX applications and can be enabled using a cross-compiler system for Microsoft Windows. Google Project Zero researcher Tavis Ormandy discovered the bug. The researcher stated that the bug is simple to exploit and can be exploited by merely decrypting a block of data. An exploit would allow an attacker to write arbitrary data to a target machine and execute code. The security flaw is a heap-buffer overflow bug in Libgcrypt 1.9.0 (released on January 19). The previous versions are not affected by the flaw. The issue is patched (CVE pending) in Libgcrypt version 1.9.1. The flawed version is no longer available for download, but it is unclear how many developers downloaded it to build their applications before it was taken down. The researcher urged developers to replace the buggy library with the newest version.
Threatpost reports: "Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code"