oss-security - Re: CVE Request(s): GnuPG 2/GPG2

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 06 Jan 2015 21:35:29 +1100
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request(s): GnuPG 2/GPG2

On 06/01/15 04:42, cve-assign@...re.org wrote:
>
> What is the attack scenario for these double frees?  It is not
> immediately clear whether there is a role for an attacker who is not
> the GnuPG user.
Here is the response from Werner:

---

>> Double free in scd/command.c:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773471

Could be triggered due to an out of memory condition or a wrong use of a
functions.  Hard to exploit I guess.

>> Double free in sm/minip12.c:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773472

That may happen if iconv_open fails.  Memory error or utf-8 not
available.  Note that the buffer is allocated in out secure memory and
thus the gcry_free() zeroes the memory.  I can't see how this can be
exploted but I am not an expert for this.
--- 


Hopefully that answers the question,


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.