Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 03 Jun 2011 18:21:23 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Bernhard Reiter <bernhard@...evation.de>,
        Tomas Mraz <tmraz@...hat.com>
Subject: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking
 system calls, when verifying a certificate


Hello, Josh, Steve, Bernhard, vendors,

   based on:
   [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377
   [2] https://bugs.g10code.com/gnupg/issue1313
       (upstream bug report)
   [3] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der
       (public PoC)
   [4] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev
       (relevant upstream patch)

it concluded:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=710529

i.e.:
"Dirmngr, server/client tool for managing and downloading CRLS, used
user land threads implementation (Pth) for wrapping up of system calls,
that may potentially block. A remote attacker could use this flaw to
cause a hang of an end-user application, relying of the proper services
of the dirmngr daemon, via a request to verify a specially-crafted
certificate."

But simultaneously with filling that Red Hat Bugzilla issue tracking
system entry performed some basic investigation, results of which can
be seen at:
[6] https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2

IOW was not able to reproduce the complete / indefinite dirmngr-client
hang (thus blocking other clients from access). As noted in [6], it
is true that during small time period running 'dirmngr' daemon instance
is unresponsive also for '--ping' (dirmngr-client --ping) commands, but
after finite time (~21 seconds in my test) the connection ends up with
timeout.

Though Bernard in:
[7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5

mentions "For example the KMail hung when trying to verify a signature
which has the certificate in the chain." which would suggest there may
exist clients / end-user application not able to recover from this bug
properly. Bernhard, hopefully here, you could clarify / list such
applications and provide also time details, how long that hang of such
applications took.

Based on your reply, this may not / may be worthy (in case there are
such end-user applications) of an CVE identifier.

Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ