[pkg-gnupg-maint] Bug#787049: potential DoS when parsing mangled secret key packets
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu May 28 06:06:19 UTC 2015
Package: gnupg2
Version: 2.0.14
Severity: important
Control: tags -1 + patch
Control: forwarded -1 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=0aac920f23fd07e152fdb7385299c92bb9a4ade3
Control: clone -1 -2
Control: reassign -2 gnupg
Control: found -2 1.4.10
Control: fixed -1 2.1.3-1
Someone who can send a bad secret key packet to a user of gnupg can
cause gpg itself to crash.
Due to the missing length checks PKTLEN may turn negative. Because
PKTLEN is an unsigned int the malloc in read_rest would try to malloc
a too large number and terminate the process with "error reading rest
of packet: Cannot allocate memory".
Patches are available for the 2.0 branch:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=0aac920f23fd07e152fdb7385299c92bb9a4ade3
and the 1.4 branch:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=506eb6fec67f170827777f2f44ced6f50745a0ad
--dkg
More information about the pkg-gnupg-maint
mailing list