From: Werner Koch <wk@gnupg.org.>
To: [email protected]Subject: GnuPG 1.4 and 2.0 buffer overflow
Cc: [email protected]
Cc: [email protected]
Mail-Followup-To: [email protected], [email protected]
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2; url=finger:[email protected]
Date: Mon, 27 Nov 2006 18:13:02 +0100
Message-ID: <87mz6cke3l.fsf@wheatstone.g10code.de.>
User-Agent: Gnus/5.110006 (No Gnus v0.6)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece";
micalg=sha1; protocol="application/pgp-signature"
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Transfer-Encoding: quoted-printable
GnuPG 1.4 and 2.0 buffer overflow
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Summary
=3D=3D=3D=3D=3D=3D=3D
While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions. The current versions
1.4.5 and 2.0.0 are affected. A small patch is provided.
Please do not send private mail in response to this message. The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).
Impact
=3D=3D=3D=3D=3D=3D
When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2. Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.
Exploiting this overflow seems to be possible.
gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.
Solution
=3D=3D=3D=3D=3D=3D=3D=3D
Apply the following patch to GnuPG. It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions.=20
2006-11-27 Werner Koch <wk@g10code.com.>
* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
if make_printable_string returns a longer string. Fixes bug 728.
=2D-- g10/openfile.c (revision 4348)
+++ g10/openfile.c (working copy)
@@ -144,8 +144,8 @@
=20
s =3D _("Enter new filename");
=20
=2D n =3D strlen(s) + namelen + 10;
defname =3D name && namelen? make_printable_string( name, namelen, 0):=
NULL;
+ n =3D strlen(s) + (defname?strlen (defname):0) + 10;
prompt =3D xmalloc(n);
if( defname )
sprintf(prompt, "%s [%s]: ", s, defname );
Background:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug. make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string. Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops. Note, that using snprintf would not have helped in
this case. How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.
The original bug report is at https://bugs.g10code.com/gnupg/issue728 .
=3D=3D=3D
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .
=2D-=20
Werner Koch <wk@gnupg.org.>
The GnuPG Experts http://g10code.com
Join the Fellowship and protect your Freedom! http://www.fsfe.org
--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1rc1 (GNU/Linux)
iEYEARECAAYFAkVrHJ4ACgkQYHhOlAEKV+3OKQCgq2DZx5xez/033RhUOUy/9ElZ
FLAAnAsIc+zYjmjvo5N8rmVtVdejeLKa
=29PW
-----END PGP SIGNATURE-----
--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece--
