There is yet another signature verification bug in gnupg <1.4.2.2, which was released today to correct that issue. From the announcement: --- cut here --- Summary ======= In the aftermath of the false positive signature verfication bug (announced 2006-02-15) more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of *gpg* for verification of signatures which are _not_ detached signatures. The problem also affects verification of signatures embedded in encrypted messages; i.e. standard use of gpg for mails. To solve this problem, an update of the current stable version has been released (see below). Please do not respond to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). Impact: ======= Signature verification of non-detached signatures may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature. Thus it is possible for an attacker to take any signed message and inject extra arbitrary data. --- cut here --- For more please look at the URL above which links to the complete announcement.
*** This bug has been marked as a duplicate of 125217 ***