According to an announcement at, a problem exists when using GnuPG and GPGME to create attached signatures in email messages.  According to Gerardo Richarte of Core Security Technologies, text can be inserted before or after the signed text in an OpenPGP message that looks to the user as if it is covered by the signature.  All versions of GPGME up to and including 1.1.3 are affected. 

Core Security Technologies also reported that several open source email clients are affected, including KDE’s KMail, Novell’s Evolution, Sylpheed, Mutt, and (Joris Evers, “Bug may expose encrypted e-mail“, C/Net, 8 Mar 2007).

There is a new release of GnuPG, 1.4.7, that fixes this issue.  2.0.3 is also unaffected.  It’s important to note that this is not a problem in the encryption method.  Rather it’s an issue with the way a mail user agent (MUA) processes attached signatures. 

It is recommended that organizations and developers use detached signatures for messages.  Detached signatures are not affected by this type of vulnerability.