CVE-2014-4677 Gpgtools CVE debrief

Who should care

Administrators and users running affected GPG Suite / Libmacgpg versions, especially on systems where local users may have interactive access or other ways to submit untrusted local input.

Technical summary

The issue is in installPackage within installerHelper in Libmacgpg. According to the supplied NVD description, unsafely handling the xmlPath argument allows shell metacharacter injection, resulting in arbitrary command execution as root. NVD lists affected Libmacgpg versions up to 0.6, and the vulnerability is categorized as CWE-77 (Command Injection).

Defensive priority

High. This is a local attack that can become root-level code execution, so exposure on shared or user-accessible systems should be treated as urgent.

Recommended defensive actions

• Upgrade GPG Suite / Libmacgpg from any version before 2015.06 to a patched release referenced by the vendor advisory.
• Confirm whether any installed Libmacgpg instances match the affected version range listed by NVD (up to 0.6).
• Review systems where untrusted local users can run processes or influence package installation workflows.
• Monitor the vendor release notes and official CVE/NVD entries for remediation details and version guidance.

Evidence notes

The supplied NVD record states that the installPackage function in installerHelper allows local users to execute arbitrary commands with root privileges via shell metacharacters in the xmlPath argument. It also lists the vulnerability class as CWE-77 and includes an affected CPE range for gpgtools:libmacgpg up to version 0.6. Vendor release notes and a third-party advisory are included in the supplied references.

Official resources