libgcrypt 1.9.0 is the new version of the encryption library built into the famous GNU Privacy Guard (GPG) program. As you well know, it is a very practical software with which you can sign data, encrypt files to protect them from prying eyes of third parties, etc. In addition, you can choose between different types of encryption and algorithms available.
Well, this library has become a problem, since they have found a quite severe vulnerability in it and that could compromise the security of this software. Furthermore, it is not only used by GnuPGIt is also used by other encryption software, so it could affect other programs in the same way.
On the development mailing list for this project, the developer behind GnuPG and Libgcrypt, has sent a message alerting about this problem. A problem that has been active for a few days, since Libgcrypt 1.9.0 was released on January 19, 2021, which means that it was integrated in the GnuPG 2.3 version.
Koch, the developer, did not initially confirm the origin of the nature of this vulnerability, it has simply been limited to alerting users to stop using this encryption library and has announced a new update to correct this security problem.
But a few days later, on January 26, it would give more information about this critical vulnerability that continues without having CVE. This is a problem that could take advantage of a buffer overflow, which could cause the attacker to be able to access the data without any verification or signature, which is concerning.
As for the discoverer of this problem, it is the researcher Tavis Ormandy from Google Project Zero. And, as it has been learned, it only affects the Libgcrypt 1.9.0 version, and not other versions.
If you are one of those affected who has this version of this library, you can Log in here, since there is an updated version with a patch that solves it. It is Libgcrypt 1.9.1.