Your message dated Fri, 01 Jul 2022 07:35:23 +0000 with message-id <e1o7bbt-000gi8...@fasolo.debian.org> and subject line Bug#1014157: fixed in gnupg2 2.2.35-3 has caused the Debian Bug report #1014157, regarding gnupg: vulnerable to status injection to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1014157: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014157 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gnupg Version: 2.2.25-2 Control: tag -1 + security patch Control: forward -1 https://dev.gnupg.org/T6027 Control: affects -1 libgpgme11 Control: found 2.2.27-2+deb11u1 over in https://www.openwall.com/lists/oss-security/2022/06/30/1 Demi Marie Obenour reports a failed buffer overflow that has the result that anyone using gpgme (and probably other tooling) cannot trust the results of signature validation. I've confirmed that the reported bug is present both in bullseye (2.2.27-2+deb11u1) and unstable :( The attached patch (pulled from upstream git) fixes the matter that was present in 2.2.25-2. I'm in the process of testing it on bullseye. --dkgFrom: Werner Koch <w...@gnupg.org> Date: Tue, 14 Jun 2022 11:33:27 +0200 Subject: g10: Fix garbled status messages in NOTATION_DATA * g10/cpr.c (write_status_text_and_buffer): Fix off-by-one -- Depending on the escaping and line wrapping the computed remaining buffer length could be wrong. Fixed by always using a break to terminate the escape detection loop. Might have happened for all status lines which may wrap. GnuPG-bug-id: T6027 (cherry picked from commit 34c649b3601383cd11dbc76221747ec16fd68e1b) --- g10/cpr.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/g10/cpr.c b/g10/cpr.c index d502e8b..bc4b715 100644 --- a/g10/cpr.c +++ b/g10/cpr.c @@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, } first = 0; } - for (esc=0, s=buffer, n=len; n && !esc; s++, n--) + for (esc=0, s=buffer, n=len; n; s++, n--) { if (*s == '%' || *(const byte*)s <= lower_limit || *(const byte*)s == 127 ) esc = 1; if (wrap && ++count > wrap) - { - dowrap=1; - break; - } - } - if (esc) - { - s--; n++; + dowrap=1; + if (esc || dowrap) + break; } if (s != buffer) es_fwrite (buffer, s-buffer, 1, statusfp);
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: gnupg2 Source-Version: 2.2.35-3 Done: Daniel Kahn Gillmor <d...@fifthhorseman.net> We believe that the bug you reported is fixed in the latest version of gnupg2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1014...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Jul 2022 02:01:17 -0400 Source: gnupg2 Architecture: source Version: 2.2.35-3 Distribution: unstable Urgency: high Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org> Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net> Closes: 1014157 Changes: gnupg2 (2.2.35-3) unstable; urgency=high . * fix security error from large notations (Thanks, Demi Marie Obenour) (Closes: #1014157) * Standards-Version: bump to 4.6.1 (no changes needed) * clean up lintian-overrides Checksums-Sha1: 6d796102d3940f3fadeb5475d3387fbe84504d10 3219 gnupg2_2.2.35-3.dsc 1d213039c77e3ec45eed605e7e86568dd001cf4e 62416 gnupg2_2.2.35-3.debian.tar.xz ab06ca7a4eff08f31c8fe16a365423819e2bdbd2 18905 gnupg2_2.2.35-3_amd64.buildinfo Checksums-Sha256: 107fa3b78c2a7a23ffda6f6ef9fa2023f09f9d83ed5ed82f9a92f57114b6b532 3219 gnupg2_2.2.35-3.dsc ede72827e0acafafd67f9adef995d2917ee107253729cdfae6b825f4f5302085 62416 gnupg2_2.2.35-3.debian.tar.xz 17ea33b2f812bce3a1fc5b574bf6cb64ad6893c5947388ee689ce1934695a650 18905 gnupg2_2.2.35-3_amd64.buildinfo Files: 999f9cbb4ec991bcd156efbf2104a1b9 3219 utils optional gnupg2_2.2.35-3.dsc 465ca9bb553af7009588762c6b290994 62416 utils optional gnupg2_2.2.35-3.debian.tar.xz 1aead1098732ebb04f68a651c466e6b2 18905 utils optional gnupg2_2.2.35-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYr6dFwAKCRA+nXFzcd5W XGIuAP9HEW2l/Q5Mt9uxYXXEj5H/lxVvFbFz3ZGfG+vX3+uh6gEAioDAgVl39kD5 Nu/2ZrOG5TEchLLNUgenr1/sqmYU4AM= =xsvc -----END PGP SIGNATURE-----
--- End Message ---
