Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 540016 (CVE-2015-1606, CVE-2015-1607)

Summary: <app-crypt/gnupg-2.1.2: Multiple vulnerabilities (CVE-2015-{1606,1607})
Product: Gentoo Security Reporter: Kristian Fiskerstrand <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled, hanno
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2015/q1/551
Whiteboard: A3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 552936    
Bug Blocks:    

Description Kristian Fiskerstrand gentoo-dev Security 2015-02-13 20:52:28 UTC
From ${URL}:

Advisory published here:
https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html

A complex tool like GnuPG has many ways to parse input data. I
previously had fuzzed GnuPG which had led to the detection of a Buffer
Overflow vulnerability in GnuPG and libksba (CVE-2014-9087). Recently I
tried to fuzz less obvious inputs of GnuPG: Keyrings and configuration
files.

GnuPG allows to specify a non-standard keyring on the command line.
Fuzzing GPG with gpg --export --no-default-keyring --keyring [input
keyring] led to the detection of various issues. (Please note that the
keyring parameter needs the full path and does not like filenames with
unusual characters like the ones generated by american fuzzy lop.)

NULL pointer deref in parse_trust (parse-packet.c)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=39978487863066e59bb657f5fe4e8baab510da7e
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-null-ptr-1

NULL pointer deref in do_key (build-packet.c)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=0835d2f44ef62eab51fce6a927908f544e01cf8f
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-null-ptr-2

Use after free (build-packet.c)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-use-after-free

memcpy with overlapping ranges (keybox_search.c)
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-memcpy-overlap

All issues found with american fuzzy lop. Fuzzing of the configuration
file parser showed no issues.

While keyrings are usually not user-submitted data, some of these can
be reached through other code paths. None of the issues looks severe,
however judging the exact security would require further analysis.

Timeline:
2015-02-06 Reported three issues to GnuPG developer Werner Koch
2015-02-09 ALl reported issues fixed in git
2015-02-09 Reported one more issue to Werner Koch
2015-02-11 Last issue fixed in git
2015-02-11 Release of GnuPG 2.1.2 containing all fixes

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

##

GnuPG 2.1.2 is already in tree, but I take it at least some of these issues also affects 2.0 as indicated by WK's: "I plan to do that but first 2.1 needs to get more stable.  And I have to do maintenance release of 1.4 and 2.0 too.  I am currently working on 2.0." ( https://lists.gnupg.org/pipermail/gnupg-devel/2015-February/029492.html )
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-19 02:44:20 UTC
All issues were fixed in v2.1.2 which appeared in Gentoo via https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-crypt/gnupg/gnupg-2.1.2.ebuild?hideattic=0&view=log
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2017-01-20 22:25:11 UTC
This issue is likely fixed in 2.0.27 (https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000362.html) and 1.4.19 (https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html), but 2.0 series is anyways on its way out in bug 606604 - 1.4 however will remain in tree for the foreseeable future
Comment 3 Alon Bar-Lev gentoo-dev 2017-02-18 18:27:46 UTC
Cleaned.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-17 22:40:11 UTC
GLSA Vote: No
Arches and Maintainer(s), Thank you for your work.