Title gpg segfaults on 'af' byte
Priority bug Status resolved
Category gnupg Due Date
Version 1.4.5 ExtLink  (go)
Superseder Nosy List HughWarrington, werner
Assigned To werner Topics  (help)

Created on 2006-11-24.12:46:41 by [P] HughWarrington, last changed 2006-12-20.17:46:08 by werner.

File name Uploaded Type Edit Remove
fil HughWarrington, 2006-11-24.12:46:38 application/octet-stream
msg1881 (view) Author: werner Date: 2006-12-02.18:05:10
This bug has the vulnerability id: CVE-2006-6169.
Fixed in 2.0.1.
msg1864 (view) Author: werner Date: 2006-11-27.16:45:18
Fixed in SVN.  See the previous message for a patch which is suitable for gnupg
1.4 as well as for 2.0.

It is actually a buffer overflow caused by make_printable_string possibly
returning a string longer than NAMELEN (which comes directly from the OpenPGP
package and is 255 in the reported case).  Very stupid bug. 

Fortunately, it is not very easy to exploit because it will occur only in
interactive mode and any exploit code must be written in a way that
make_printable_string inserts extra characters (C-escape sequences) into the
exploit code to introduce the overflow.
msg1863 (view) Author: werner Date: 2006-11-27.16:23:21
--- openfile.c  (revision 4348)
+++ openfile.c  (working copy)
@@ -144,8 +144,8 @@
     s = _("Enter new filename");
-    n = strlen(s) + namelen + 10;
     defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+    n = strlen(s) + (defname?strlen (defname):0) + 10;
     prompt = xmalloc(n);
     if( defname )
        sprintf(prompt, "%s [%s]: ", s, defname );
msg1851 (view) Author: HughWarrington Date: 2006-11-24.12:46:38
If I create a file containing just the single byte with hex value 'af' in it,
gpg segfaults on it (see attached file). i.e.

hjmw2@mong:~$ gpg fil
gpg: fil: unknown suffix
*** glibc detected *** free(): invalid next size (fast): 0x08127d18 ***
Date User Action Args
2006-12-20 17:46:08wernersetstatus: testing -> resolved
2006-12-02 18:05:12wernersetmessages: + msg1881
2006-11-27 16:45:18wernersetstatus: in-progress -> testing
messages: + msg1864
2006-11-27 16:23:21wernersetmessages: + msg1863
2006-11-27 16:12:26wernersetstatus: unread -> in-progress
assignedto: werner
nosy: + werner
2006-11-24 12:46:41HughWarringtoncreate