Date: Fri, 03 Jun 2011 18:21:23 +0200 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Bernhard Reiter <bernhard@...evation.de>, Tomas Mraz <tmraz@...hat.com> Subject: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Hello, Josh, Steve, Bernhard, vendors, based on:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377  https://bugs.g10code.com/gnupg/issue1313 (upstream bug report)  https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der (public PoC)  http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev (relevant upstream patch) it concluded:  https://bugzilla.redhat.com/show_bug.cgi?id=710529 i.e.: "Dirmngr, server/client tool for managing and downloading CRLS, used user land threads implementation (Pth) for wrapping up of system calls, that may potentially block. A remote attacker could use this flaw to cause a hang of an end-user application, relying of the proper services of the dirmngr daemon, via a request to verify a specially-crafted certificate." But simultaneously with filling that Red Hat Bugzilla issue tracking system entry performed some basic investigation, results of which can be seen at:  https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2 IOW was not able to reproduce the complete / indefinite dirmngr-client hang (thus blocking other clients from access). As noted in , it is true that during small time period running 'dirmngr' daemon instance is unresponsive also for '--ping' (dirmngr-client --ping) commands, but after finite time (~21 seconds in my test) the connection ends up with timeout. Though Bernard in:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5 mentions "For example the KMail hung when trying to verify a signature which has the certificate in the chain." which would suggest there may exist clients / end-user application not able to recover from this bug properly. Bernhard, hopefully here, you could clarify / list such applications and provide also time details, how long that hang of such applications took. Based on your reply, this may not / may be worthy (in case there are such end-user applications) of an CVE identifier. Thank you & Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ