Date: Mon, 6 Jun 2011 13:42:10 -0400 (EDT) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: Bernhard Reiter <bernhard@...evation.de>, Tomas Mraz <tmraz@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate ----- Original Message ----- > Hello, Josh, Steve, Bernhard, vendors, > > based on: >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377 >  https://bugs.g10code.com/gnupg/issue1313 > (upstream bug report) >  https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der > (public PoC) >  http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev > (relevant upstream patch) > > it concluded: >  https://bugzilla.redhat.com/show_bug.cgi?id=710529 > > i.e.: > "Dirmngr, server/client tool for managing and downloading CRLS, used user > land threads implementation (Pth) for wrapping up of system calls, that > may potentially block. A remote attacker could use this flaw to cause a > hang of an end-user application, relying of the proper services of the > dirmngr daemon, via a request to verify a specially-crafted certificate." > > But simultaneously with filling that Red Hat Bugzilla issue tracking > system entry performed some basic investigation, results of which can > be seen at: >  https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2 > > IOW was not able to reproduce the complete / indefinite dirmngr-client > hang (thus blocking other clients from access). As noted in , it is > true that during small time period running 'dirmngr' daemon instance is > unresponsive also for '--ping' (dirmngr-client --ping) commands, but > after finite time (~21 seconds in my test) the connection ends up with > timeout. > > Though Bernard in: >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5 > > mentions "For example the KMail hung when trying to verify a signature > which has the certificate in the chain." which would suggest there may > exist clients / end-user application not able to recover from this bug > properly. Bernhard, hopefully here, you could clarify / list such > applications and provide also time details, how long that hang of such > applications took. > > Based on your reply, this may not / may be worthy (in case there are > such end-user applications) of an CVE identifier. > Is this expected to only be used by end user applications? It seems to me that if an attacker can DoS a client, it's not a security issue, especially when you consider the use (if a bad guy can interact with dirmngr, there are probably bigger potential issues). Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.