[daemon13]

So, practical question

I am on Ubuntu LTS 12.04 with GnuPG 1.4.11 (Linux version 3.2.0-32-virtual (buildd@batsu) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)).

Q1. Do I need to fix this potential attack?

Q2. Assuming this fix is not backported [now] - if I compile fresh gpg and swap the binary with the old gpg - will this fix it?

[mrich]

Q1: Yes, it is fixed in 1.4.14 only.

Q2: Cleanest would be to uninstall GnuPG and install latest from source. Make sure to backup relevant directories containing GnuPG related data (probably in your home - sorry I'm not familiar with Ubuntu)

[e12e]

BIG WARNING - THIS IS NOT THE BEST WAY TO INSTALL GNUPG! IT DOES NOT VERIFY ANY (REAL) SIGNATURES!!

FYI - Debian unstable (aka sid) has a pacakge, and there is a backport to Ubuntu Saucy. I'm not sure what the best/easiest way to automatically pull down sources for a newer release than the release you're running in Ubuntu (there might be some apt-add magick for source mirrors?) -- but since it is up at launchpad[1], you can:

a) try the binaries b) build the debs yourself (aka manually "backport"):

    mkdir tmp/gnupg -p
    cd tmp/gnupg
    sudo apt-get build-dep gnupg
    sudo aptitude install dpkg-dev #This might get pulled
                                   #in by the line above
    wget https://launchpad.net/ubuntu/saucy/+source/gnupg/1.4.14-1ubuntu1/+files/gnupg_1.4.14.orig.tar.gz \
         https://launchpad.net/ubuntu/saucy/+source/gnupg/1.4.14-1ubuntu1/+files/gnupg_1.4.14-1ubuntu1.debian.tar.gz \
         https://launchpad.net/ubuntu/saucy/+source/gnupg/1.4.14-1ubuntu1/+files/gnupg_1.4.14-1ubuntu1.dsc

    tar xzf gnupg_1.4.14.orig.tar.gz
    cd gnupg-1.4.14
    tar xzf gnupg_1.4.14-1ubuntu1.debian.tar.gz
    cd debian
    dpkg-buildpackage
    cd ..
    sudo dpkg -i gpgv_1.4.14-1ubuntu1_amd64.deb \
                 gnupg_1.4.14-1ubuntu1_amd64.deb \
                 gnupg-curl_1.4.14-1ubuntu1_amd64.deb
  

Note: This might not be a good idea with a package that is as imprtant as gnupg (among other things apt package lists are signed with gnupg!). And as you can also see above, the packages are not signed (explicitly, even if they do come in via https...).

At least this built fine under wheezy -- but I haven't tried installing them (I'm not that worried that someone will snoop my workstation cache..).

So not really meant for advice on how to get an upstream gnupg -- but useful with a few other well-behaved programs. So big warning, practice safe hex and all that!