Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 03 Jun 2011 18:21:23 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Bernhard Reiter <bernhard@...evation.de>,
        Tomas Mraz <tmraz@...hat.com>
Subject: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking
 system calls, when verifying a certificate


Hello, Josh, Steve, Bernhard, vendors,

   based on:
   [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377
   [2] https://bugs.g10code.com/gnupg/issue1313
       (upstream bug report)
   [3] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der
       (public PoC)
   [4] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev
       (relevant upstream patch)

it concluded:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=710529

i.e.:
"Dirmngr, server/client tool for managing and downloading CRLS, used
user land threads implementation (Pth) for wrapping up of system calls,
that may potentially block. A remote attacker could use this flaw to
cause a hang of an end-user application, relying of the proper services
of the dirmngr daemon, via a request to verify a specially-crafted
certificate."

But simultaneously with filling that Red Hat Bugzilla issue tracking
system entry performed some basic investigation, results of which can
be seen at:
[6] https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2

IOW was not able to reproduce the complete / indefinite dirmngr-client
hang (thus blocking other clients from access). As noted in [6], it
is true that during small time period running 'dirmngr' daemon instance
is unresponsive also for '--ping' (dirmngr-client --ping) commands, but
after finite time (~21 seconds in my test) the connection ends up with
timeout.

Though Bernard in:
[7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5

mentions "For example the KMail hung when trying to verify a signature
which has the certificate in the chain." which would suggest there may
exist clients / end-user application not able to recover from this bug
properly. Bernhard, hopefully here, you could clarify / list such
applications and provide also time details, how long that hang of such
applications took.

Based on your reply, this may not / may be worthy (in case there are
such end-user applications) of an CVE identifier.

Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.