Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. announce
Details on the GnuPG 1.4.15 and 2.0.22 release
wk at gnupg
Nov 4, 2013, 12:22 AM
Post #1 of 1 (1064 views)
Permalink
Hi!

Taylor asked me to forward this background info:

On Sat, 5 Oct 2013 10:56, wk@gnupg.org said:
> not yet been seen in the wild. Details of the attack will eventually
> be published by its inventor.

The zlib compression language that OpenPGP uses is powerful enough to
express an OpenPGP compression quine -- that is, an OpenPGP compressed
data packet that decompresses to itself -- causing infinite nesting of
OpenPGP packets. Source code to generate such a quine is at
<http://mumble.net/~campbell/misc/pgp-quine/>.

When fed the quine, older versions of GnuPG would blow the stack and
crash. GnuPG 1.4.15 and GnuPG 2.0.22 avoid this by setting a small
constant bound on the depth of packet nesting.

(This is similar to Tavis Ormandy's IPcomp compression quine, reported
in CVE-2011-1547, which I didn't know about at the time I made the
OpenPGP compression quine. Both of us had read Russ Cox's article on
zlib compression quines: <http://research.swtch.com/zip>.)



Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal