[Pkg-gnupg-maint] Bug#771987: gnupg: several gnupg failures (infinite loop, NULL deref, out-of-bounds read, printing failure) on bad input

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 4 06:44:14 UTC 2014 

Package: gnupg
Version: 1.4.12-7+deb7u6
Severity: important
Tags: patch upstream

GnuPG upstream has fixed several minor failures on bad input recently,
but the fixes haven't made it into a released version of the 1.4.x
branch.

Those errors are:

https://bugs.g10code.com/gnupg/issue1713 - endless loop on bad input
to mpi_invm

https://bugs.g10code.com/gnupg/issue1761 - canceled passphrase entry
can cause a NULL dereference

off-by-one read in the UAT parser (see upstream commit
0988764397f99db4efef1eabcdb8072d6159af76)

Possible printing of unprintable data when listing signature
subpackets (see upsteam commit
596ae9f5433ca3b0e01f7acbe06fd2e424c42ae8)

I'm attaching patches for all these issues, pulled from upstream git's
STABLE-BRANCH-1-4.

	--dkg


-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg          1.16.15
ii  gpgv          1.4.12-7+deb7u6
ii  install-info  4.13a.dfsg.1-10
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.13-38+deb7u6
ii  libreadline6  6.2+dfsg-0.1
ii  libusb-0.1-4  2:0.1.12-20+nmu1
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages gnupg recommends:
pn  gnupg-curl     <none>
ii  libldap-2.4-2  2.4.31-1+nmu2

Versions of packages gnupg suggests:
pn  gnupg-doc                       <none>
pn  libpcsclite1                    <none>
pn  xloadimage | imagemagick | eog  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0007-mpi-Improve-mpi_invm-to-detect-bad-input.patch
Type: text/x-diff
Size: 861 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20141204/7c4a36d5/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0016-gpg-Fix-a-NULL-deref-for-invalid-input-data.patch
Type: text/x-diff
Size: 1445 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20141204/7c4a36d5/attachment-0005.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0017-gpg-Fix-off-by-one-read-in-the-attribute-subpacket-p.patch
Type: text/x-diff
Size: 1242 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20141204/7c4a36d5/attachment-0006.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0018-gpg-Fix-use-of-uninit.value-in-listing-sig-subpkts.patch
Type: text/x-diff
Size: 1631 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20141204/7c4a36d5/attachment-0007.patch>

More information about the Pkg-gnupg-maint mailing list