Summary: | <app-crypt/gnupg-1.4.13: memory access errors and keyring database corruption (CVE-2012-6085) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/01/01/5 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
@maintainer: if you want to maintain 1.4 series, go ahead with the bump, otherwise clean the affected ebuild is enough. Done. (In reply to comment #2) > Done. Thanks, Alon. Arches, please test and mark stable =app-crypt/gnupg-1.4.13 x86 stable CVE Assignment: http://www.openwall.com/lists/oss-security/2013/01/01/6 amd64 stable Stable for HPPA. ppc stable ppc64 stable ia64 stable sparc stable arm stable alpha stable s390/sh stable Crypto done. Thanks, everyone. New GLSA request filed. CVE-2012-6085 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6085): The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet. This issue was resolved and addressed in GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml by GLSA coordinator Chris Reffett (creffett). |
From $URL : On 12/28/2012 06:06 PM, KB Sriram wrote: > Versions of GnuPG <= 1.4.12 are vulnerable to memory access > violations and public keyring database corruption when importing > public keys that have been manipulated. > > An OpenPGP key can be fuzzed in such a way that gpg segfaults (or > has other memory access violations) when importing the key. > > The key may also be fuzzed such that gpg reports no errors when > examining the key (eg: "gpg the_bad_key.pkr") but importing it > causes gpg to corrupt its public keyring database. > > The database corruption issue was first reported on Dec 6th, > through the gpg bug tracking system: > > https://bugs.g10code.com/gnupg/issue1455 > > The subsequent memory access violation was discovered and reported > in a private email with the maintainer on Dec 20th. > > A zip file with keys that causes segfaults and other errors is > available at > http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes > a log file that demonstrates the issues [on MacOS X and gpg > 1.4.11] > > A new version of gpg -- 1.4.13 -- that addressed both these issues, > was independently released by the maintainer on Dec 20th. > > The simplest solution is to upgrade all gpg installs to 1.4.13. > > [Workarounds: A corrupted database may be recovered by manually > copying back the pubring.gpg~ backup file. Certain errors may also > be prevented by never directly importing a key, but first just > "looking" at the key (eg: "gpg bad_key.pkr"). However, this is not > guaranteed to work in all cases; though upgrading to 1.4.13 does > work for the issues reported.] > > Discovery: > > The problem was discovered during a byte-fuzzing test of OpenPGP > certificates for an unrelated application. Each byte in turn was > replaced by a random byte, and the modified certificate fed to the > application to check that it handled errors correctly. Gpg was used > as a control, but it itself turned out to have errors related to > packet parsing. The errors are generally triggered when fuzzing the > length field of OpenPGP packets, which cascades into subsequent > errors in certain situations. > > -kb