GnuPG Multiply Signed Message Document Modification
Local Access Required,
Remote / Network Access
Loss of Integrity
GnuPG contains a flaw that may allow a malicious attacker to modify documents in a signed message without changing the apparent signatures. The issue is triggered when a message with multiple cleartext signatures and multiple attached documents is created. GnuPG does not compare each signature for each document in the message, but instead flags each document as good or bad depending on the first document in the file. It is possible that this flaw may allow an attacker to surreptitiously modify any document but the first, resulting in a loss of integrity.
Upgrade to version 1.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.