GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB; see $URL and the surrounding email threads for more details and test-cases.
The reporter has some proposed patches at https://dev.gnupg.org/D556 (and in oss-security / gnupg-devel threads); mostly these flag/reject compressed packets and indeterminate-length packets in contexts where they make no sense and arguably are not within the spec (certificates, keys, detached signatures).
No CVE has been assigned yet AFAIK.
According to werner on the issue (https://dev.gnupg.org/T5993), "This specificiation is a draft which has not even been discussed in the WG. In any case gpg won't implement this because it would break processing of existing data."