GnuPG 1.4 and 2.0 buffer overflow
==================================
Summary
=======
While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions. The current versions
1.4.5 and 2.0.0 are affected. A small patch is provided.
Please do not send private mail in response to this message. The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).
Impact
======
When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2. Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.
Exploiting this overflow seems to be possible.
gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.
Solution
========
Apply the following patch to GnuPG. It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions.
2006-11-27 Werner Koch <wk@g10code.com>
* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
if make_printable_string returns a longer string. Fixes bug 728.
--- g10/openfile.c (revision 4348)
+++ g10/openfile.c (working copy)
@@ -144,8 +144,8 @@
s = _("Enter new filename");
- n = strlen(s) + namelen + 10;
defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+ n = strlen(s) + (defname?strlen (defname):0) + 10;
prompt = xmalloc(n);
if( defname )
sprintf(prompt, "%s [%s]: ", s, defname );
Background:
===========
The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug. make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string. Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops. Note, that using snprintf would not have helped in
this case. How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.
The original bug report is at https://bugs.g10code.com/gnupg/issue728 .
===
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .
--
Werner Koch <wk@gnupg.org>
The GnuPG Experts http://g10code.com
Join the Fellowship and protect your Freedom! http://www.fsfe.org
==================================
Summary
=======
While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions. The current versions
1.4.5 and 2.0.0 are affected. A small patch is provided.
Please do not send private mail in response to this message. The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).
Impact
======
When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2. Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.
Exploiting this overflow seems to be possible.
gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.
Solution
========
Apply the following patch to GnuPG. It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions.
2006-11-27 Werner Koch <wk@g10code.com>
* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
if make_printable_string returns a longer string. Fixes bug 728.
--- g10/openfile.c (revision 4348)
+++ g10/openfile.c (working copy)
@@ -144,8 +144,8 @@
s = _("Enter new filename");
- n = strlen(s) + namelen + 10;
defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+ n = strlen(s) + (defname?strlen (defname):0) + 10;
prompt = xmalloc(n);
if( defname )
sprintf(prompt, "%s [%s]: ", s, defname );
Background:
===========
The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug. make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string. Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops. Note, that using snprintf would not have helped in
this case. How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.
The original bug report is at https://bugs.g10code.com/gnupg/issue728 .
===
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .
--
Werner Koch <wk@gnupg.org>
The GnuPG Experts http://g10code.com
Join the Fellowship and protect your Freedom! http://www.fsfe.org