Looks like there is a bug in GPG that would allow someone to inject misc. data into a cyptographically signed or encrypted message without invalidating the signature of the message. Basically, it means that checking the signature status of a GPG email will not guarantee that the message is what the original sender sent.

Seems to effect all versions prior to 1.4.2.2, there are updates available.

More information here.