Date: Tue, 01 Jan 2013 16:24:28 -0700 From: Kurt Seifried <kseifried@...hat.com> To: KB Sriram <kbsriram@...il.com> CC: bugtraq@...urityfocus.com, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, wk@...pg.org Subject: Re: GnuPG 1.4.12 and lower - memory access errors and keyring database corruption -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/01/2013 12:22 AM, Kurt Seifried wrote: > On 12/28/2012 06:06 PM, KB Sriram wrote: >> Versions of GnuPG <= 1.4.12 are vulnerable to memory access >> violations and public keyring database corruption when importing >> public keys that have been manipulated. > >> An OpenPGP key can be fuzzed in such a way that gpg segfaults (or >> has other memory access violations) when importing the key. > >> The key may also be fuzzed such that gpg reports no errors when >> examining the key (eg: "gpg the_bad_key.pkr") but importing it >> causes gpg to corrupt its public keyring database. > >> The database corruption issue was first reported on Dec 6th, >> through the gpg bug tracking system: > >> https://bugs.g10code.com/gnupg/issue1455 > >> The subsequent memory access violation was discovered and reported >> in a private email with the maintainer on Dec 20th. > >> A zip file with keys that causes segfaults and other errors is >> available at >> http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes >> a log file that demonstrates the issues [on MacOS X and gpg >> 1.4.11] > >> A new version of gpg -- 1.4.13 -- that addressed both these issues, >> was independently released by the maintainer on Dec 20th. > >> The simplest solution is to upgrade all gpg installs to 1.4.13. > >> [Workarounds: A corrupted database may be recovered by manually >> copying back the pubring.gpg~ backup file. Certain errors may also >> be prevented by never directly importing a key, but first just >> "looking" at the key (eg: "gpg bad_key.pkr"). However, this is not >> guaranteed to work in all cases; though upgrading to 1.4.13 does >> work for the issues reported.] > >> Discovery: > >> The problem was discovered during a byte-fuzzing test of OpenPGP >> certificates for an unrelated application. Each byte in turn was >> replaced by a random byte, and the modified certificate fed to the >> application to check that it handled errors correctly. Gpg was used >> as a control, but it itself turned out to have errors related to >> packet parsing. The errors are generally triggered when fuzzing the >> length field of OpenPGP packets, which cascades into subsequent >> errors in certain situations. > >> -kb > > Has this been assigned a CVE identifier yet? Spoke with upstream, confirmed things. Please use CVE-2012-6085 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ43AsAAoJEBYNRVNeJnmTWBkP/2+7T2S3n6KOc0VQjcDlK9Yo kUauilVJcH9QKZW28JHGzQnNUV/jf8csjtGsWBawVi7ofrlNNbNLRXTBe3OqEaxM ltLB0049NjMQ4sdf9agur3t7kXFJkRarMQZ+DGnlQAYClZggEsztWhwMCOozMiay /NuJsUQvlAtzRcRYZEyI0P3R5ecfsu0JHJuf9on/bc4hXgl4A6kl02IGaaZi69hU faYdeGXRKjDKWp7fsLdWXVO4S43+QV2VKADdkxC5+fef9b1lHH6cHhobsZCb8ZCl pVx19tF/jid7Lz3QyLeaJNuKsu/H65/xJvnhUTdUr3viqo3cArudNNhkb2Fu+8u8 Y03M1w6jdMpO2ENNjgrlrlgLZ4zCk/A8enK61DJnll7oIhVGbn58K0AVSmfcPJtN V+JklmvbEwJwxlOw9MxWkJ6nuQrXaFJRB5ruQnuvLneEWHsfPYlJMUpUmtmg3VWe 4gbFn774VplIxLuo3wHDwPdaWT7piMvBZLdHvLvRyfx7yBY9zphFsW4zQvZH2hGa jMpUj2g8mR2Tw03REXrvgj+GNqMKy516d1YbVm8Y8//TCHMYt8EWeXHJ4COS/9WO rKxEBi8kpL/rc5VFOD+76S3Skp2jgYAql9BTbBp4DoJd7jtT8boRYjJFWWzpiwxi isKwpf/bS3MC+ZxHKTNe =zCWo -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ