Vigil@nce - GnuPG: information disclosure via OpenPGP Format
May 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who can read an error message which occurs during the
automatic decryption by GnuPG, can send numerous encrypted
messages in order to progressively guess the content of the clear
message.
Impacted products: GnuPG
Severity: 1/4
Creation date: 07/05/2015
DESCRIPTION OF THE VULNERABILITY
The GnuPG product can be installed in order to automatically
decrypt messages.
When there is an error with the automatic decryption, GnuPG shows
a message. However, the error message depends where the error is
located.
An attacker, who can read an error message which occurs during the
automatic decryption by GnuPG, can therefore send numerous
encrypted messages in order to progressively guess the content of
the clear message.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/GnuPG-information-disclosure-via-OpenPGP-Format-16842