Editing GNU Privacy Guard (section)

== Vulnerabilities ==
The OpenPGP standard specifies several methods of [[digital signature|digitally signing]] messages. In 2003, due to an error in a change to GnuPG intended to make one of those methods more efficient, a security vulnerability was introduced.<ref>{{cite web|url=https://www.di.ens.fr/~pnguyen/pub_Ng04.htm|title=Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3.|last=Nguyen|first=Phong Q.|publisher=EUROCRYPT 2004: 555&ndash;570|access-date=2019-08-23|archive-url=https://web.archive.org/web/20171204133110/http://www.di.ens.fr/~pnguyen/pub_Ng04.htm|archive-date=2017-12-04|url-status=live}}</ref> It affected only one method of digitally signing messages, only for some releases of GnuPG (1.0.2 through 1.2.3), and there were fewer than 1000 such keys listed on the key servers.<ref>{{cite web|url=http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html|title=GnuPG's ElGamal signing keys compromised|last=Koch|first=Werner|author-link=Werner Koch|date=November 27, 2003|access-date=May 14, 2004|archive-url=https://web.archive.org/web/20040318174334/http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000160.html|archive-date=March 18, 2004|url-status=live}}</ref> Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, since none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GnuPG versions released after this discovery (1.2.4 and later).

Two further vulnerabilities were discovered in early 2006; the first being that scripted uses of GnuPG for signature verification may result in [[False positives and false negatives|false positives]],<ref>{{cite web|url=http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html|title=False positive signature verification in GnuPG|last=Koch|first=Werner|author-link=Werner Koch|date=February 15, 2006|access-date=May 23, 2006|archive-url=https://web.archive.org/web/20060617192634/http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000211.html|archive-date=June 17, 2006|url-status=live}}</ref> the second that non-MIME messages were vulnerable to the injection of data which while not covered by the digital signature, would be reported as being part of the signed message.<ref>{{cite web|url=http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html|title=GnuPG does not detect injection of unsigned data|last=Koch|first=Werner|author-link=Werner Koch|date=March 9, 2006|access-date=May 23, 2006|archive-url=https://web.archive.org/web/20060505205727/http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000218.html|archive-date=May 5, 2006|url-status=live}}</ref> In both cases updated versions of GnuPG were made available at the time of the announcement.

In June 2017, a vulnerability (CVE-2017-7526) was discovered within [[Libgcrypt]] by Bernstein, Breitner and others: a library used by GnuPG, which enabled a full key recovery for RSA-1024 and about more than 1/8th of RSA-2048 keys. This [[side-channel attack]] exploits the fact that [[Libgcrypt]] used a [[Exponentiation by squaring#Sliding window method|sliding windows method for exponentiation]] which leads to the leakage of exponent bits and to full key recovery.<ref>{{Cite web|url=https://lwn.net/Articles/727179/|title=Breaking Libgcrypt RSA via a side channel|last=Edge|first=Jake|date=5 July 2017|website=LWN.net|access-date=28 July 2017|archive-url=https://web.archive.org/web/20170728155905/https://lwn.net/Articles/727179/|archive-date=28 July 2017|url-status=live}}</ref><ref>{{cite web|url=https://eprint.iacr.org/2017/627.pdf|title=Sliding right into disaster: Left-to-right sliding windows leak|access-date=2017-06-30|archive-url=https://web.archive.org/web/20170630170347/https://eprint.iacr.org/2017/627.pdf|archive-date=2017-06-30|url-status=live}}</ref> Again, an updated version of GnuPG was made available at the time of the announcement.

Around June 2018, the [[SigSpoof]] attacks were announced. These allowed an attacker to convincingly spoof digital signatures.<ref>{{Cite web |url=https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/ |title=Decades-old PGP bug allowed hackers to spoof just about anyone's signature |date=14 June 2018 |access-date=2018-09-07 |archive-url=https://web.archive.org/web/20180907110403/https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/ |archive-date=2018-09-07 |url-status=live }}</ref><ref>{{Cite web |url=https://www.theregister.co.uk/2018/06/19/gnupg_popped_again_in_pass/ |title=Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug |website=[[The Register]] |access-date=2018-09-07 |archive-url=https://web.archive.org/web/20180630114100/https://www.theregister.co.uk/2018/06/19/gnupg_popped_again_in_pass/ |archive-date=2018-06-30 |url-status=live }}</ref>

In January 2021, Libgcrypt 1.9.0 was released, which was found to contain a severe bug that was simple to exploit. A fix was released 10 days later in Libgcrypt 1.9.1.<ref>{{Cite web|url=https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/|archive-url = https://web.archive.org/web/20210221012505/https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/|archive-date = 2021-02-21|title = Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble}}</ref>