Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 6 Jun 2011 13:42:10 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Bernhard Reiter <bernhard@...evation.de>, Tomas Mraz <tmraz@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request / Discussion -- dirmngr -- Improper
 dealing with blocking system calls, when verifying a certificate

----- Original Message -----
> Hello, Josh, Steve, Bernhard, vendors,
> 
> based on:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377
> [2] https://bugs.g10code.com/gnupg/issue1313
> (upstream bug report)
> [3] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der
> (public PoC)
> [4] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev
> (relevant upstream patch)
> 
> it concluded:
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=710529
> 
> i.e.:
> "Dirmngr, server/client tool for managing and downloading CRLS, used user
> land threads implementation (Pth) for wrapping up of system calls, that
> may potentially block. A remote attacker could use this flaw to cause a
> hang of an end-user application, relying of the proper services of the
> dirmngr daemon, via a request to verify a specially-crafted certificate."
> 
> But simultaneously with filling that Red Hat Bugzilla issue tracking
> system entry performed some basic investigation, results of which can
> be seen at:
> [6] https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2
> 
> IOW was not able to reproduce the complete / indefinite dirmngr-client
> hang (thus blocking other clients from access). As noted in [6], it is
> true that during small time period running 'dirmngr' daemon instance is
> unresponsive also for '--ping' (dirmngr-client --ping) commands, but
> after finite time (~21 seconds in my test) the connection ends up with
> timeout.
> 
> Though Bernard in:
> [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5
> 
> mentions "For example the KMail hung when trying to verify a signature
> which has the certificate in the chain." which would suggest there may
> exist clients / end-user application not able to recover from this bug
> properly. Bernhard, hopefully here, you could clarify / list such
> applications and provide also time details, how long that hang of such
> applications took.
> 
> Based on your reply, this may not / may be worthy (in case there are
> such end-user applications) of an CVE identifier.
> 

Is this expected to only be used by end user applications? It seems to me
that if an attacker can DoS a client, it's not a security issue, especially
when you consider the use (if a bad guy can interact with dirmngr, there
are probably bigger potential issues).

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.