Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 449546 (CVE-2012-6085) - <app-crypt/gnupg-1.4.13: memory access errors and keyring database corruption (CVE-2012-6085)
Summary: <app-crypt/gnupg-1.4.13: memory access errors and keyring database corruption...
Status: RESOLVED FIXED
Alias: CVE-2012-6085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-01 08:26 UTC by Agostino Sarubbo
Modified: 2014-02-21 16:08 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-01 08:26:59 UTC
From $URL :

On 12/28/2012 06:06 PM, KB Sriram wrote:
> Versions of GnuPG <= 1.4.12 are vulnerable to memory access
> violations and public keyring database corruption when importing
> public keys that have been manipulated.
> 
> An OpenPGP key can be fuzzed in such a way that gpg segfaults (or
> has other memory access violations) when importing the key.
> 
> The key may also be fuzzed such that gpg reports no errors when 
> examining the key (eg: "gpg the_bad_key.pkr") but importing it
> causes gpg to corrupt its public keyring database.
> 
> The database corruption issue was first reported on Dec 6th,
> through the gpg bug tracking system:
> 
> https://bugs.g10code.com/gnupg/issue1455
> 
> The subsequent memory access violation was discovered and reported
> in a private email with the maintainer on Dec 20th.
> 
> A zip file with keys that causes segfaults and other errors is 
> available at
> http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes
> a log file that demonstrates the issues [on MacOS X and gpg
> 1.4.11]
> 
> A new version of gpg -- 1.4.13 -- that addressed both these issues,
> was independently released by the maintainer on Dec 20th.
> 
> The simplest solution is to upgrade all gpg installs to 1.4.13.
> 
> [Workarounds: A corrupted database may be recovered by manually 
> copying back the pubring.gpg~ backup file. Certain errors may also
> be prevented by never directly importing a key, but first just
> "looking" at the key (eg: "gpg bad_key.pkr"). However, this is not
> guaranteed to work in all cases; though upgrading to 1.4.13 does
> work for the issues reported.]
> 
> Discovery:
> 
> The problem was discovered during a byte-fuzzing test of OpenPGP 
> certificates for an unrelated application. Each byte in turn was 
> replaced by a random byte, and the modified certificate fed to the 
> application to check that it handled errors correctly. Gpg was used
> as a control, but it itself turned out to have errors related to
> packet parsing. The errors are generally triggered when fuzzing the
> length field of OpenPGP packets, which cascades into subsequent
> errors in certain situations.
> 
> -kb
Comment 1 Agostino Sarubbo gentoo-dev 2013-01-01 08:29:08 UTC
@maintainer:

if you want to maintain 1.4 series, go ahead with the bump, otherwise clean the affected ebuild is enough.
Comment 2 Alon Bar-Lev gentoo-dev 2013-01-01 16:19:56 UTC
Done.
Comment 3 Sean Amoss gentoo-dev Security 2013-01-01 20:45:19 UTC
(In reply to comment #2)
> Done.

Thanks, Alon.

Arches, please test and mark stable =app-crypt/gnupg-1.4.13
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2013-01-01 22:16:15 UTC
x86 stable
Comment 5 Sean Amoss gentoo-dev Security 2013-01-01 23:34:13 UTC
CVE Assignment:

http://www.openwall.com/lists/oss-security/2013/01/01/6
Comment 6 Sergey Popov gentoo-dev 2013-01-02 09:58:57 UTC
amd64 stable
Comment 7 Jeroen Roovers gentoo-dev 2013-01-02 11:22:46 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-01-04 12:53:16 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-01-04 13:09:38 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-01-04 21:16:55 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-01-05 17:34:20 UTC
sparc stable
Comment 12 Markus Meier gentoo-dev 2013-01-06 10:24:51 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-01-07 22:23:39 UTC
alpha stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2013-01-13 19:32:42 UTC
s390/sh stable
Comment 15 Alon Bar-Lev gentoo-dev 2013-01-13 19:34:22 UTC
Crypto done.
Comment 16 Sean Amoss gentoo-dev Security 2013-01-15 21:37:57 UTC
Thanks, everyone.

New GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-01-25 15:22:02 UTC
CVE-2012-6085 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6085):
  The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and
  2.0.x through 2.0.19, when importing a key, allows remote attackers to
  corrupt the public keyring database or cause a denial of service
  (application crash) via a crafted length field of an OpenPGP packet.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:27 UTC
This issue was resolved and addressed in
 GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml
by GLSA coordinator Chris Reffett (creffett).