Bug#771987: gnupg: several gnupg failures (infinite loop, NULL deref, out-of-bounds read, printing failure) on bad input

Wed, 03 Dec 2014 22:46:06 -0800 

Package: gnupg
Version: 1.4.12-7+deb7u6
Severity: important
Tags: patch upstream

GnuPG upstream has fixed several minor failures on bad input recently,
but the fixes haven't made it into a released version of the 1.4.x
branch.

Those errors are:

https://bugs.g10code.com/gnupg/issue1713 - endless loop on bad input
to mpi_invm

https://bugs.g10code.com/gnupg/issue1761 - canceled passphrase entry
can cause a NULL dereference

off-by-one read in the UAT parser (see upstream commit
0988764397f99db4efef1eabcdb8072d6159af76)

Possible printing of unprintable data when listing signature
subpackets (see upsteam commit
596ae9f5433ca3b0e01f7acbe06fd2e424c42ae8)

I'm attaching patches for all these issues, pulled from upstream git's
STABLE-BRANCH-1-4.

        --dkg


-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnupg depends on:
ii  dpkg          1.16.15
ii  gpgv          1.4.12-7+deb7u6
ii  install-info  4.13a.dfsg.1-10
ii  libbz2-1.0    1.0.6-4
ii  libc6         2.13-38+deb7u6
ii  libreadline6  6.2+dfsg-0.1
ii  libusb-0.1-4  2:0.1.12-20+nmu1
ii  zlib1g        1:1.2.7.dfsg-13

Versions of packages gnupg recommends:
pn  gnupg-curl     <none>
ii  libldap-2.4-2  2.4.31-1+nmu2

Versions of packages gnupg suggests:
pn  gnupg-doc                       <none>
pn  libpcsclite1                    <none>
pn  xloadimage | imagemagick | eog  <none>

-- no debconf information

>From cd53cdbc3774fb193bdebcdc5d7019ddebc16dbc Mon Sep 17 00:00:00 2001
From: Werner Koch <w...@gnupg.org>
Date: Thu, 11 Sep 2014 17:06:16 +0200
Subject: [PATCH 07/20] mpi: Improve mpi_invm to detect bad input.

* mpi/mpi-inv.c (mpi_invm): Return 0 for bad input.
--

Without this patch the function may enter an endless loop.  This is a
backport from libgcrypt.

GnuPG-bug-id: 1713
---
 mpi/mpi-inv.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mpi/mpi-inv.c b/mpi/mpi-inv.c
index b762630..361c57e 100644
--- a/mpi/mpi-inv.c
+++ b/mpi/mpi-inv.c
@@ -165,6 +165,11 @@ mpi_invm( MPI x, MPI a, MPI n )
     int sign;
     int odd ;
 
+    if (!mpi_cmp_ui (a, 0))
+        return 0; /* Inverse does not exists.  */
+    if (!mpi_cmp_ui (n, 1))
+        return 0; /* Inverse does not exists.  */
+
     u = mpi_copy(a);
     v = mpi_copy(n);
 
-- 
2.1.3


>From 69767ccf4218d0dc5ef2d7e141be0f14c88fea59 Mon Sep 17 00:00:00 2001
From: Werner Koch <w...@gnupg.org>
Date: Mon, 24 Nov 2014 19:32:47 +0100
Subject: [PATCH 16/20] gpg: Fix a NULL-deref for invalid input data.

* g10/mainproc.c (proc_encrypted): Take care of canceled passpharse
entry.
--

GnuPG-bug-id: 1761
Signed-off-by: Werner Koch <w...@gnupg.org>

(backported from commit 32e85668b82f6fbcb824eea9548970804fb41d9e)
---
 g10/mainproc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/g10/mainproc.c b/g10/mainproc.c
index d355a21..15baefe 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -540,7 +540,9 @@ proc_encrypted( CTX c, PACKET *pkt )
 	result = -1;
     else if( !c->dek && !c->last_was_session_key ) {
         int algo;
-        STRING2KEY s2kbuf, *s2k = NULL;
+        STRING2KEY s2kbuf;
+        STRING2KEY *s2k = NULL;
+        int canceled;
 
 	if(opt.override_session_key)
 	  {
@@ -580,9 +582,13 @@ proc_encrypted( CTX c, PACKET *pkt )
 		log_info (_("assuming %s encrypted data\n"), "IDEA");
 	      }
 
-	    c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 0, NULL, NULL );
+	    c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 0, NULL,&canceled);
 	    if (c->dek)
 	      c->dek->algo_info_printed = 1;
+            else if (canceled)
+              result = G10ERR_CANCELED;
+            else
+              result = G10ERR_PASSPHRASE;
 	  }
     }
     else if( !c->dek )
-- 
2.1.3


>From 2b4809406b6536cbb67a2282bf855710b8454dc2 Mon Sep 17 00:00:00 2001
From: Werner Koch <w...@gnupg.org>
Date: Mon, 24 Nov 2014 19:38:04 +0100
Subject: [PATCH 17/20] gpg: Fix off-by-one read in the attribute subpacket
 parser.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <w...@gnupg.org>

(backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)
---
 g10/parse-packet.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index dcda8ef..db1702f 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -2026,6 +2026,14 @@ parse_attribute_subpkts(PKT_user_id *uid)
       if( buflen < n )
 	goto too_short;
 
+      if (!n)
+        {
+          /* Too short to encode the subpacket type.  */
+          if (opt.verbose)
+            log_info ("attribute subpacket too short\n");
+          break;
+        }
+
       attribs=xrealloc(attribs,(count+1)*sizeof(struct user_attribute));
       memset(&attribs[count],0,sizeof(struct user_attribute));
 
-- 
2.1.3


>From 2d359681f08999686734421228cb69893d8a0060 Mon Sep 17 00:00:00 2001
From: Werner Koch <w...@gnupg.org>
Date: Mon, 24 Nov 2014 19:41:46 +0100
Subject: [PATCH 18/20] gpg: Fix use of uninit.value in listing sig subpkts.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/parse-packet.c (dump_sig_subpkt): Print regex subpacket
sanitized.
--

We may not use "%s" to print an arbitrary buffer.  At least "%.*s"
should have been used.  However, it is in general preferable to escape
control characters while printf user data.

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <w...@gnupg.org>

(backported from commit 596ae9f5433ca3b0e01f7acbe06fd2e424c42ae8)
---
 g10/parse-packet.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index db1702f..01600e4 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -892,13 +892,18 @@ dump_sig_subpkt( int hashed, int type, int critical,
 	if(length!=2)
 	  p="[invalid trust subpacket]";
 	else
-	  fprintf (listfp, "trust signature of depth %d, value %d",buffer[0],buffer[1]);
+	  fprintf (listfp, "trust signature of depth %d, value %d",
+                   buffer[0],buffer[1]);
 	break;
       case SIGSUBPKT_REGEXP:
 	if(!length)
 	  p="[invalid regexp subpacket]";
 	else
-	  fprintf (listfp, "regular expression: \"%s\"",buffer);
+          {
+            fprintf (listfp, "regular expression: \"");
+            print_string (listfp, buffer, length, '\"');
+            p = "\"";
+          }
 	break;
       case SIGSUBPKT_REVOCABLE:
 	if( length )
-- 
2.1.3

Reply via email to