There is yet another signature verification bug in gnupg <1.4.2.2, which was released today to correct that issue. From the announcement:

--- cut here ---
Summary
=======

In the aftermath of the false positive signature verfication bug
(announced 2006-02-15) more thorough testing of the fix has been done
and another vulnerability has been detected.

This new problem affects the use of *gpg* for verification of
signatures which are _not_ detached signatures.  The problem also
affects verification of signatures embedded in encrypted messages;
i.e. standard use of gpg for mails.

To solve this problem, an update of the current stable version has
been released (see below).

Please do not respond to this message.  The mailing list gnupg-devel
is the best place to discuss this problem (please subscribe first so
you don't need moderator approval [1]).

Impact:
=======

Signature verification of non-detached signatures may give a positive
result but when extracting the signed data, this data may be prepended
or appended with extra data not covered by the signature.  Thus it is
possible for an attacker to take any signed message and inject extra
arbitrary data.
--- cut here ---

For more please look at the URL above which links to the complete announcement.