Clarification on advisories

Werner Koch wk at gnupg.org
Mon Mar 23 10:48:12 CET 2015 

On Mon, 23 Mar 2015 06:31, venture37 at gmail.com said:

> In the 1.4.19 announcement, the entry: "Fixed bugs related to bogus
> keyrings." is the fix for CVE-2015-1606?

The Debian announcement describes this as

    The keyring parsing code did not properly reject certain packet types
    not belonging in a keyring, which caused an access to memory already
    freed. This could allow remote attackers to cause a denial of service
    (crash) via crafted keyring files.

This seems to be about this fix:

  commit 81d3e541326e94d26a953aa70afc3cb149d11ebe

    gpg: Prevent an invalid memory read using a garbled keyring.
    
    * g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
    types.
    --
    
    The keyring DB code did not reject packets which don't belong into a
    keyring.  If for example the keyblock contains a literal data packet
    it is expected that the processing code stops at the data packet and
    reads from the input stream which is referenced from the data packets.
    Obviously the keyring processing code does not and cannot do that.
    However, when exporting this messes up the IOBUF and leads to an
    invalid read of sizeof (int).
    
    We now skip all packets which are not allowed in a keyring.
        
    Reported-by: Hanno Böck <hanno at hboeck.de>
    
    (back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)
    
    [dkg: rebased to STABLE-BRANCH-1-4]
    Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>


(I don't think that "access to memory already freed" is the right
description.)

> Am I right in thinking the issues found through fuzzing which led to
> the release of 2.1.2 still have not be back ported to previous
> releases? certainly most of the changes in the commits highlighted are
> applicable accounting for the change of line numbers.

I may not understand what your qyestion here.  The commit you are
referring to is against 2.1 (current master) and not against 1.4.  The
parts relevant to 1.4 and 2.0 have been ported back (see above for 1.4).


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list