Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 156476 - app-crypt/gnupg 1.4 and 2.0 buffer overflow (CVE-2006-6169)
Summary: app-crypt/gnupg 1.4 and 2.0 buffer overflow (CVE-2006-6169)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugs.g10code.com/gnupg/issue728
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-27 21:58 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2006-12-10 05:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-11-27 21:58:24 UTC
From: 	  wk@gnupg.org
	Subject: 	GnuPG 1.4 and 2.0 buffer overflow
	Date: 	November 27, 2006 12:13:02 PM EST
	To: 	  gnupg-announce@gnupg.org
	Cc: 	  bugtraq@securityfocus.com, lwn@lwn.net

            GnuPG 1.4 and 2.0 buffer overflow
           ==================================

Summary
=======

While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions.  The current versions
1.4.5 and 2.0.0 are affected.  A small patch is provided.

Please do not send private mail in response to this message.  The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).


Impact
======

When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2.  Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.

Exploiting this overflow seems to be possible.

gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.



Solution
========

Apply the following patch to GnuPG.  It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions. 

2006-11-27  Werner Koch  <wk@g10code.com>

	* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
	if make_printable_string returns a longer string.  Fixes bug 728.

--- g10/openfile.c      (revision 4348)
+++ g10/openfile.c      (working copy)
@@ -144,8 +144,8 @@

     s = _("Enter new filename");

-    n = strlen(s) + namelen + 10;
     defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+    n = strlen(s) + (defname?strlen (defname):0) + 10;
     prompt = xmalloc(n);
     if( defname )
        sprintf(prompt, "%s [%s]: ", s, defname );



Background:
===========

The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug.  make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string.  Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops.  Note, that using snprintf would not have helped in
this case.  How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.

The original bug report is at https://bugs.g10code.com/gnupg/issue728 .



===
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .


-- 
Werner Koch                                      <wk@gnupg.org>
The GnuPG Experts                                http://g10code.com
Join the Fellowship and protect your Freedom!    http://www.fsfe.org
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-11-27 22:10:57 UTC
and if you read the rest of the announcements on the relevant mailing lists, 1.4.6/2.0.1 will be out in a day or two to resolve this.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2006-11-28 01:38:26 UTC
doesnt seem like a security issue, unless you can get someone to type in lots of (partially binary) characters.

Can anyone think of an attack using this bug?
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-28 05:37:17 UTC
where exactly do you have to type something? As I currently understand it, this can be triggered by interactively runnung gpg on a malicious file (like the one the reported attached to the upstream bug) - but I had no deep look here, since the vendor came out with this (and well, I seriously hope that they know what they are doing).
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-11-28 07:18:56 UTC
Ahh, I see what you mean, I hadnt read the bug.

Yes, this looks like it would be a problem then, ignore my last comment.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-11-30 12:38:22 UTC
upstream has 2.0.1 out, but not 1.4.6 yet.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-05 12:34:03 UTC
has not been fully wrangled so far... 
rating B2...

just to fill this comment field...
Comment 7 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2006-12-06 12:10:18 UTC
gnupg 1.4.6 is now available at http://www.gnupg.org/download/ 
Comment 8 Alon Bar-Lev (RETIRED) gentoo-dev 2006-12-06 13:15:23 UTC
Done.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-07 03:31:24 UTC
Please don't close Security bugs.

This one is ready for GLSA.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-10 05:38:55 UTC
GLSA 200612-03