Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 18:27:31 -0500 (EST)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Multiple issues in GnuPG found through keyring fuzzing (TFPA 001/2015)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html

Can you provide more information about a scenario in which a GnuPG
NULL pointer dereference has a security impact? A typical use case of
GnuPG is a single session with a single command line. The code in
question is not part of Libgcrypt, which may be used for long-running
processes.

Do you mean that:

  1. it is possible to create the problematic keyring
     using --import commands, e.g., the user has
     imported normal keys for years and now imports
     a crafted key

  2. the problematic keyring makes the product largely
     unusable, e.g., there is a crash with a common
     command such as --list-keys

  3. it is not possible to fix the problematic keyring
     with any available commands such as --delete-keys

  4. therefore, the product remains unusable unless the
     user obtains other code to correct the keyring, and
     thus there is a denial of service

?

If the situation were something like:

  1. the problematic keyring cannot be created using
     --import commands; the issue is specific to a
    new keyring that a user obtains from an untrusted
    source

  2. there is a crash in some situation

  3. the user can avoid the impact by discontinuing
     use of this new keyring

then we think that a CVE ID may not be applicable.

Also, access to each of your four crashes.fuzzing-project.org URLs
currently fails with a 403. We can probably provide at least two CVE
IDs in total after those URLs are available.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU3of5AAoJEKllVAevmvmscd8IAIJeHfu3UoyLoA3gs+SIsy+F
d45YIjagmNB/U9i5AYtBCgD+c3SYZnkCOFuqNjaxJPd0NgnhI6rkuc5bgkrbGKzL
SwVrHWtyqHBmfWHDvetekXaBSRvG0ufSJ4LkKpLD+aRXNQ/qqVqeEUT0U91TzIZH
0nv9ALKhfm41/cU6USACsRb16cfOdiWJ/dPrFFCRBmirM9RV01T+XXNeHLLPN1H1
9Rn5tyYWyu7NU9dmPhRJTwicyG9+apga9724lnuwzp6ujI0tT8pNSCm5xkQYiCHE
z96Kn1DjncJ7vRCs8v7+vVK4qB1qNjpHUd2pLqDr+1sy7d3uwT+W8kHY6cP0QL4=
=lEJf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.