The idea that there are parsing bugs in OpenPGP messages and keys shouldn't be a terrible surprise. The specification defining the format for an OpenPGP message is a touch complex, and plenty of implementations get things wrong.
Take the PGPDump utility, which has the sole purpose of parsing OpenPGP messages. It makes the unfortunate decision to use signed integers throughout its packet parsing, to ill effect. To see some problems for yourself, run pgpdump on Manual.gpg, a maliciously-crafted document (don't worry, it isn't terribly malicious -- it simply contains a large size in Field 1, which results in pgpdump reporting a negative size for the file stream). It is meant mostly as an example of why defining complex file formats and implementing the parsing and generation engines in the C language can be a daunting task.
The GnuPG programmers are crazy smart, plenty paranoid, and are way better C coders than i could ever hope to be. They are humans. I'm sure they do their best to secure the tool. We remain hopeful that this little bug will turn a lot of bug-hunters eyes to GnuPG to squash any bugs that might be lingering around the codebase.