Hi, I extracted a minimal patch from 1.4.5 for the Sarge security update. This has been assigned CVE-2006-3746.
Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
--- gnupg-1.4.4/g10/parse-packet.c 2006-06-25 10:58:40.000000000 +0000
+++ gnupg-1.4.5/g10/parse-packet.c 2006-07-26 10:39:16.000000000 +0000
@@ -2088,6 +2088,16 @@ parse_comment( IOBUF inp, int pkttype, u
{
byte *p;
+ /* Cap comment packet at a reasonable value to avoid an integer
+ overflow in the malloc below. Comment packets are actually not
+ anymore define my OpenPGP and we even stopped to use our
+ private comment packet. */
+ if (pktlen>65536)
+ {
+ log_error ("packet(%d) too large\n", pkttype);
+ iobuf_skip_rest (inp, pktlen, 0);
+ return G10ERR_INVALID_PACKET;
+ }
packet->pkt.comment = xmalloc(sizeof *packet->pkt.comment + pktlen - 1);
packet->pkt.comment->len = pktlen;
p = packet->pkt.comment->data;
@@ -2340,6 +2351,9 @@ parse_gpg_control( IOBUF inp, int pkttyp
if ( sesmark[i] != iobuf_get_noeof(inp) )
goto skipit;
}
+ if (pktlen > 4096)
+ goto skipit; /* Definitely too large. We skip it to avoid an
+ overflow in the malloc. */
if ( list_mode )
puts ("- gpg control packet");
signature.asc
Description: Digital signature
