Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329583 - <app-crypt/gnupg-2.0.16-r1: GPGSM use after free (CVE-2010-2547)
Summary: <app-crypt/gnupg-2.0.16-r1: GPGSM use after free (CVE-2010-2547)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://lists.gnupg.org/pipermail/gnup...
Whiteboard: B2 [glsa]
Keywords:
: 329587 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-07-23 14:12 UTC by cilly
Modified: 2011-10-22 04:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch for Realloc Bug with X.509 certificates in GnuPG <2.0.17 (gnupg-realloc-X.509.patch,295 bytes, patch)
2010-07-27 07:39 UTC, cilly
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description cilly 2010-07-23 14:12:01 UTC
Realloc Bug with X.509 certificates in GnuPG
           ==============================================
                             2010-07-23


Summary
=======

While trying to import a server certificate for a CDN service, a segv
bug was found in GnuPG's GPGSM tool.  It is likely that this bug is
exploitable by sending a special crafted signed message and having a
user verify the signature.

[ Please do not send private mail in response to this message.  The
 mailing list gnupg-devel is the best place to discuss this problem
 (please subscribe first so you don't need moderator approval [1]). ]


Impact
======

All applications using GnuPG's GPGSM tool to process S/MIME messages
or manage X.509 certificates are affected.  The bug exists in all
versions of GnuPG including the recently released GnuPG 2.0.16.

GPG (i.e. OpenPGP) is NOT affected.

GnuPG 1.x is NOT affected because it does not come with the GPGSM
tool.

An exploit is not yet known but it can't be ruled out for sure that
the problem has not already been identified by some dark forces.


Description
===========

Importing a certificate with more than 98 Subject Alternate Names [2]
via GPGSM's import command or implicitly while verifying a signature
causes GPGSM to reallocate an array with the names.  The bug is that
the reallocation code misses assigning the reallocated array to the
old array variable and thus the old and freed array will be used.
Usually this leads to a segv.

It might be possible to use one of the techniques to exploit
assignments to malloced and freed memory.  Such an exploit won't be
easy to write because the attack vector must fit into a valid ASN.1
DER encoded DN.  To further complicate the task, that DN is not used
directly but after a transformation to RFC-2253 format.



Solution
========

Apply the following patch.  The patch is required for all GnuPG
versions < 2.0.17.  It applies to 2.0.16 but should apply to many
older versions as well.


--- kbx/keybox-blob.c   (revision 5367)
+++ kbx/keybox-blob.c   (working copy)
@@ -898,6 +898,7 @@
              rc = gpg_error_from_syserror ();
              goto leave;
            }
+          names = tmp;
        }
      names[blob->nuids++] = p;
      if (!i && (p=x509_email_kludge (p)))




Support 
=======

g10 Code GmbH [3], a Duesseldorf based company owned and headed by
GnuPG's principal author, is currently funding GnuPG development.
Support contracts or other financial backing will greatly help us to
improve the quality of GnuPG.


Thanks
======

Peter Gutmann for his "A mighty fortress is our PKI" mail to the
cryptography ML which contained a pointer to a certificate to exhibit
the problem.  This bug was created, found and fixed by Werner Koch.


[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel
[2] <http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/trunk/tests/samplekeys/cert-with-117-akas.pem>
[3] See http://www.gnupg.org/service.html

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

ebuild request for gnupg-2.0.17, pls
Comment 1 cilly 2010-07-23 14:13:00 UTC
gnupg-1.x is not affected
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-23 15:17:50 UTC
*** Bug 329587 has been marked as a duplicate of this bug. ***
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-07-23 15:19:16 UTC
adding maintainers to cc
Comment 4 cilly 2010-07-27 07:39:54 UTC
Created attachment 240285 [details, diff]
Patch for Realloc Bug with X.509 certificates in GnuPG <2.0.17
Comment 5 cilly 2010-07-27 07:41:25 UTC
http://secunia.com/advisories/38877/

Exploit is public.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 15:20:25 UTC
CVE-2010-2547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2547):
  Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG
  2.x through 2.0.16 allows remote attackers to cause a denial of
  service (crash) and possibly execute arbitrary code via a certificate
  with a large number of Subject Alternate Names, which is not properly
  handled in a realloc operation when importing the certificate or
  verifying its signature.

Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 15:51:23 UTC
There is NO 2.0.17 on the master upstream site or any of the mirrors, nor any announcement emails of it on the upstream lists.

I have spun a 2.0.16-r1 with the patch instead.
Comment 8 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-08-17 18:57:44 UTC
Stabilize app-crypt/gnupg-2.0.16-r1.
alpha, ia64, s390, sh and sparc need to first perform stabilizations in bug #320037.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-18 02:50:51 UTC
x86 stable
Comment 10 Jeroen Roovers gentoo-dev 2010-08-18 04:28:21 UTC
Stable for HPPA.
Comment 11 Jeroen Roovers gentoo-dev 2010-08-18 04:46:10 UTC
Stable for PPC.
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2010-08-18 14:40:01 UTC
amd64 done
Comment 13 Markus Meier gentoo-dev 2010-08-21 18:43:21 UTC
arm stable
Comment 14 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:30:19 UTC
ppc64 done
Comment 15 Tobias Klausmann gentoo-dev 2010-09-10 12:16:19 UTC
Stable on alpha.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2010-09-11 15:17:40 UTC
ia64/s390/sh/sparc stable
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2010-09-29 21:31:38 UTC
glsa request filed.
Comment 18 Sebastian Pipping gentoo-dev 2011-01-11 22:36:52 UTC
Typed into the wrong window. Really. Sorry! I need sleep.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 04:28:26 UTC
This issue was resolved and addressed in
 GLSA 201110-15 at http://security.gentoo.org/glsa/glsa-201110-15.xml
by GLSA coordinator Tim Sammut (underling).