Date: Fri, 13 Feb 2015 18:27:31 -0500 (EST) From: cve-assign@...re.org To: hanno@...eck.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Multiple issues in GnuPG found through keyring fuzzing (TFPA 001/2015) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html Can you provide more information about a scenario in which a GnuPG NULL pointer dereference has a security impact? A typical use case of GnuPG is a single session with a single command line. The code in question is not part of Libgcrypt, which may be used for long-running processes. Do you mean that: 1. it is possible to create the problematic keyring using --import commands, e.g., the user has imported normal keys for years and now imports a crafted key 2. the problematic keyring makes the product largely unusable, e.g., there is a crash with a common command such as --list-keys 3. it is not possible to fix the problematic keyring with any available commands such as --delete-keys 4. therefore, the product remains unusable unless the user obtains other code to correct the keyring, and thus there is a denial of service ? If the situation were something like: 1. the problematic keyring cannot be created using --import commands; the issue is specific to a new keyring that a user obtains from an untrusted source 2. there is a crash in some situation 3. the user can avoid the impact by discontinuing use of this new keyring then we think that a CVE ID may not be applicable. Also, access to each of your four crashes.fuzzing-project.org URLs currently fails with a 403. We can probably provide at least two CVE IDs in total after those URLs are available. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU3of5AAoJEKllVAevmvmscd8IAIJeHfu3UoyLoA3gs+SIsy+F d45YIjagmNB/U9i5AYtBCgD+c3SYZnkCOFuqNjaxJPd0NgnhI6rkuc5bgkrbGKzL SwVrHWtyqHBmfWHDvetekXaBSRvG0ufSJ4LkKpLD+aRXNQ/qqVqeEUT0U91TzIZH 0nv9ALKhfm41/cU6USACsRb16cfOdiWJ/dPrFFCRBmirM9RV01T+XXNeHLLPN1H1 9Rn5tyYWyu7NU9dmPhRJTwicyG9+apga9724lnuwzp6ujI0tT8pNSCm5xkQYiCHE z96Kn1DjncJ7vRCs8v7+vVK4qB1qNjpHUd2pLqDr+1sy7d3uwT+W8kHY6cP0QL4= =lEJf -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.