GnuPG 1.4 and 2.0 buffer overflow ================================= Summary ====== While fixing a bug reported by Hugh Warrington, a buffer overflow has been identified in all released GnuPG versions. The current versions 1.4.5 and 2.0.0 are affected. A small patch is provided. Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). Impact ===== When running GnuPG interactively, special crafted messages may be used to crash gpg or gpg2. Running gpg in batch mode, as done by all software using gpg as a backend (e.g. mailers), is not affected by this bug. Exploiting this overflow seems to be possible. gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not affected. Solution ======= Apply the following patch to GnuPG. It should apply cleanly to current versions (1.4.5 as well as 2.0.0) but might also work for older versions. 2006-11-27 Werner Koch <wk@g10code.com> * openfile.c (ask_outfile_name): Fixed buffer overflow occurring if make_printable_string returns a longer string. Fixes bug 728. --- g10/openfile.c (revision 4348) +++ g10/openfile.c (working copy) @@ -144,8 +144,8 @@ s = _("Enter new filename"); - n = strlen(s) + namelen + 10; defname = name && namelen? make_printable_string( name, namelen, 0): NULL; + n = strlen(s) + (defname?strlen (defname):0) + 10; prompt = xmalloc(n); if( defname ) sprintf(prompt, "%s [%s]: ", s, defname ); Background: ========== The code in question has been introduced on July 1, 1999 and is a pretty obvious bug. make_printable_string is supposed to replace possible dangerous characters from a prompt and returns a malloced string. Thus this string may be longer than the orginal one; the buffer for the prompt has only be allocated at the size of the original string - oops. Note, that using snprintf would not have helped in this case. How I wish C-90 had introduced asprintf or at least it would be available on more platforms. The original bug report is at https://bugs.g10code.com/gnupg/issue728 . ==[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel . -- Werner Koch <wk@gnupg.org> The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 199 bytes Desc: not available Url : /pipermail/attachments/20061127/e34530af/attachment-0001.pgp