Package: gnupg Version: 1.4.6-1 Severity: important Tags: security Justification: remote dos
I somehow found this signature (which seems to be too large to append to a mail): http://subdivi.de/~helmut/gpg-outofmemory.sig Running gpg --verify gpg-outofmemory.sig will cause gpg try to allocate over 1G of memory. I consider this to be a denial of service attack as the file could cause gpg allocate up to 4G of memory which could cause the Linux kernel to OOM kill arbitrary applications which might cause data loss. gpg is used with software like mutt to automatically verify signatures, so the user might not know what the bad signature does. I have some more files of this kind. Please contact me in case you need additional information. Helmut Grohne -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages gnupg depends on: ii gpgv 1.4.6-1 GNU privacy guard - signature veri ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co ii libc6 2.3.6.ds1-9 GNU C Library: Shared libraries ii libldap2 2.1.30-13.2 OpenLDAP libraries ii libreadline5 5.2-1 GNU readline and history libraries ii libusb-0.1-4 2:0.1.12-2 userspace USB programming library ii makedev 2.3.1-83 creates device files in /dev ii zlib1g 1:1.2.3-13 compression library - runtime gnupg recommends no packages. -- no debconf information
signature.asc
Description: Digital signature
