AOH :: HP Unsorted G :: C07-1029.HTM

GnuPG 1.4 and 2.0 buffer overflow



GnuPG 1.4 and 2.0 buffer overflow
GnuPG 1.4 and 2.0 buffer overflow



--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Transfer-Encoding: quoted-printable

            GnuPG 1.4 and 2.0 buffer overflow
           =================================
Summary
======
While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions.  The current versions
1.4.5 and 2.0.0 are affected.  A small patch is provided.

Please do not send private mail in response to this message.  The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).


Impact
=====
When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2.  Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.

Exploiting this overflow seems to be possible.

gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.



Solution
=======
Apply the following patch to GnuPG.  It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions. 

2006-11-27 Werner Koch  

	* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
	if make_printable_string returns a longer string.  Fixes bug 728.

=2D-- g10/openfile.c      (revision 4348)
+++ g10/openfile.c      (working copy)
@@ -144,8 +144,8 @@
 
     s = _("Enter new filename");
 
=2D    n = strlen(s) + namelen + 10;
     defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+    n = strlen(s) + (defname?strlen (defname):0) + 10;
     prompt = xmalloc(n);
     if( defname )
        sprintf(prompt, "%s [%s]: ", s, defname );



Background:
==========
The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug.  make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string.  Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops.  Note, that using snprintf would not have helped in
this case.  How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.

The original bug report is at https://bugs.g10code.com/gnupg/issue728 .



==[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel . 


=2D- 
Werner Koch  
The GnuPG Experts http://g10code.com 
Join the Fellowship and protect your Freedom! http://www.fsfe.org 

--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1rc1 (GNU/Linux)

iEYEARECAAYFAkVrHJ4ACgkQYHhOlAEKV+3OKQCgq2DZx5xez/033RhUOUy/9ElZ
FLAAnAsIc+zYjmjvo5N8rmVtVdejeLKa
=29PW
-----END PGP SIGNATURE-----
--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece--


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.