GnuPG 1.4 and 2.0 buffer overflow

To:	gnupg-announce@gnupg.org
Subject:	GnuPG 1.4 and 2.0 buffer overflow
From:	Werner Koch <wk@gnupg.org>
Date:	Mon, 27 Nov 2006 18:13:02 +0100
Cc:	bugtraq@securityfocus.com
Cc:	lwn@lwn.net
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to:	bugtraq@securityfocus.com, gnupg-devel@gnupg.org
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
Openpgp:	id=5B0358A2; url=finger:wk@g10code.com
Organisation:	g10 Code GmbH
User-agent:	Gnus/5.110006 (No Gnus v0.6)

            GnuPG 1.4 and 2.0 buffer overflow
           ==================================

Summary
=======

While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions.  The current versions
1.4.5 and 2.0.0 are affected.  A small patch is provided.

Please do not send private mail in response to this message.  The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).


Impact
======

When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2.  Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.

Exploiting this overflow seems to be possible.

gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.



Solution
========

Apply the following patch to GnuPG.  It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions. 

2006-11-27  Werner Koch  <wk@g10code.com>

        * openfile.c (ask_outfile_name): Fixed buffer overflow occurring
        if make_printable_string returns a longer string.  Fixes bug 728.

--- g10/openfile.c      (revision 4348)
+++ g10/openfile.c      (working copy)
@@ -144,8 +144,8 @@
 
     s = _("Enter new filename");
 
-    n = strlen(s) + namelen + 10;
     defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+    n = strlen(s) + (defname?strlen (defname):0) + 10;
     prompt = xmalloc(n);
     if( defname )
        sprintf(prompt, "%s [%s]: ", s, defname );



Background:
===========

The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug.  make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string.  Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops.  Note, that using snprintf would not have helped in
this case.  How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.

The original bug report is at https://bugs.g10code.com/gnupg/issue728 .



===
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .


-- 
Werner Koch                                      <wk@gnupg.org>
The GnuPG Experts                                http://g10code.com
Join the Fellowship and protect your Freedom!    http://www.fsfe.org

pgpxR5pSyVUh6.pgp
Description: PGP signature

<Prev in Thread]	Current Thread	[Next in Thread>
GnuPG 1.4 and 2.0 buffer overflow, Werner Koch <= safely concatenating strings in portable C (Re: GnuPG 1.4 and 2.0 buffer overflow), Solar Designer

Previous by Date:	SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory Traversal, research
Next by Date:	CVE-2006-5815: remote code execution in ProFTPD, John Morrissey
Previous by Thread:	SYMSA-2006-011: JBoss Java Class DeploymentFileRepository Directory Traversal, research
Next by Thread:	safely concatenating strings in portable C (Re: GnuPG 1.4 and 2.0 buffer overflow), Solar Designer
Indexes:	[Date] [Thread] [Top] [All Lists]