Date: Tue, 01 Jan 2013 00:22:45 -0700 From: Kurt Seifried <kseifried@...hat.com> To: KB Sriram <kbsriram@...il.com> CC: bugtraq@...urityfocus.com, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: GnuPG 1.4.12 and lower - memory access errors and keyring database corruption -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/28/2012 06:06 PM, KB Sriram wrote: > Versions of GnuPG <= 1.4.12 are vulnerable to memory access > violations and public keyring database corruption when importing > public keys that have been manipulated. > > An OpenPGP key can be fuzzed in such a way that gpg segfaults (or > has other memory access violations) when importing the key. > > The key may also be fuzzed such that gpg reports no errors when > examining the key (eg: "gpg the_bad_key.pkr") but importing it > causes gpg to corrupt its public keyring database. > > The database corruption issue was first reported on Dec 6th, > through the gpg bug tracking system: > > https://bugs.g10code.com/gnupg/issue1455 > > The subsequent memory access violation was discovered and reported > in a private email with the maintainer on Dec 20th. > > A zip file with keys that causes segfaults and other errors is > available at > http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes > a log file that demonstrates the issues [on MacOS X and gpg > 1.4.11] > > A new version of gpg -- 1.4.13 -- that addressed both these issues, > was independently released by the maintainer on Dec 20th. > > The simplest solution is to upgrade all gpg installs to 1.4.13. > > [Workarounds: A corrupted database may be recovered by manually > copying back the pubring.gpg~ backup file. Certain errors may also > be prevented by never directly importing a key, but first just > "looking" at the key (eg: "gpg bad_key.pkr"). However, this is not > guaranteed to work in all cases; though upgrading to 1.4.13 does > work for the issues reported.] > > Discovery: > > The problem was discovered during a byte-fuzzing test of OpenPGP > certificates for an unrelated application. Each byte in turn was > replaced by a random byte, and the modified certificate fed to the > application to check that it handled errors correctly. Gpg was used > as a control, but it itself turned out to have errors related to > packet parsing. The errors are generally triggered when fuzzing the > length field of OpenPGP packets, which cascades into subsequent > errors in certain situations. > > -kb Has this been assigned a CVE identifier yet? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ4o7EAAoJEBYNRVNeJnmTjAAP/2rEPCntRzkWeE6l+LknWkzk HiIqNWOpRuJMPJ9cqNBM5Egc4XgXCLPNuzlgLhuVuZOHNdU/s7Ca8x0QpLROiC/H 0dHUHDD918CnElZ6f5ZEf/9vhnBhSud7cvpmJSDYjVjspfAYR//ehypPSlms/t4n Ph3pQh8huWarV4M+Qx+pZsfFYnB6GSZCI2DzUfgVi/69fdbSKsRNRNb7vabmjQ96 4Y7wOz9P/8WoqDAubvwewk8I7QkTPVbAq4JI0KMJS+2/C/NtkrESYmCZ0//xcox7 iotd5Sjx/nNKDCNxZlTZ+Zdj61/LzLaXCRJx7o9scBHK4MpucpMUisYoVywlueKk hPcC0jCWYchUPbJGyLLP4qOhIx8xY4see2qYLW8eo6GIDvtlYwcGP81FNt8O4XAd 6kIeewsGA1aF1+ndVlYjqzlf/kAbs+IkSxmNYK/EwFjhvHT+/jfFq+nOJfyo27kr T0/00dnrz8zjt8+9nJU+P4YzBrTlU0QhVvBR/FwSuWaxUHSYBz8eXPc29sqMUMiQ jTqA9KOwi1XYgLrY0w2g4i6CCI+Ud2imCnNvWN+OeTkIT8gpbjK8cpeY0AjiE7Rd leBXcqJ6SmwGJigKeau0fyJQFNyFplstnVi4ZXbKof+PWPq8AElEIIa4Xgn/YFj4 m0wuEBezBNChTLi5xjvO =Ai5t -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ