[git] GnuPG - branch, master, updated. gnupg-2.1.1-65-gf0f71a7
by Werner Koch
cvs at cvs.gnupg.org
Mon Feb 9 17:24:16 CET 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via f0f71a721ccd7ab9e40b8b6b028b59632c0cc648 (commit)
via 0835d2f44ef62eab51fce6a927908f544e01cf8f (commit)
via 39978487863066e59bb657f5fe4e8baab510da7e (commit)
from 0de5c6a9a783ed9dc69cecbf34eadcaace4be243 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648
Author: Werner Koch <wk at gnupg.org>
Date: Mon Feb 9 15:46:00 2015 +0100
gpg: Prevent an invalid memory read using a garbled keyring.
* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
* g10/keydb.c (parse_keyblock_image): Ditto.
--
The keyring DB code did not reject packets which don't belong into a
keyring. If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).
We now skip all packets which are not allowed in a keyring.
Reported-by: Hanno Böck <hanno at hboeck.de>
Test data:
gpg2 --no-default-keyring --keyring FILE --export >/dev/null
With this unpacked data for FILE:
-----BEGIN PGP ARMORED FILE-----
mI0EVNP2zQEEALvETPVDCJDBXkegF4esiV1fqlne40yJnCmJeDEJYocwFPXfFA86
sSGjInzgDbpbC9gQPwq91Qe9x3Vy81CkyVonPOejhINlzfpzqAAa3A6viJccZTwt
DJ8E/I9jg53sbYW8q+VgfLn1hlggH/XQRT0HkXMP5y9ClURYnTsNwJhXABEBAAGs
CXRlc3QgdGVzdIi5BBMBCgAjBQJU0/bNAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC
HgECF4AACgkQlsmuCapsqYLvtQP/byY0tM0Lc3moftbHQZ2eHj9ykLjsCjeMDfPx
kZUUtUS3HQaqgZLZOeqPjM7XgGh5hJsd9pfhmRWJ0x+iGB47XQNpRTtdLBV/WMCS
l5z3uW7e9Md7QVUVuSlJnBgQHTS6EgP8JQadPkAiF+jgpJZXP+gFs2j3gobS0qUF
eyTtxs+wAgAD
=uIt9
-----END PGP ARMORED FILE-----
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/g10/keydb.c b/g10/keydb.c
index 401478a..cf422a8 100644
--- a/g10/keydb.c
+++ b/g10/keydb.c
@@ -771,21 +771,30 @@ parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no,
err = gpg_error (GPG_ERR_INV_KEYRING);
break;
}
- if (pkt->pkttype == PKT_COMPRESSED)
- {
- log_error ("skipped compressed packet in keybox blob\n");
- free_packet(pkt);
- init_packet(pkt);
- continue;
- }
- if (pkt->pkttype == PKT_RING_TRUST)
+
+ /* Filter allowed packets. */
+ switch (pkt->pkttype)
{
- log_info ("skipped ring trust packet in keybox blob\n");
+ case PKT_PUBLIC_KEY:
+ case PKT_PUBLIC_SUBKEY:
+ case PKT_SECRET_KEY:
+ case PKT_SECRET_SUBKEY:
+ case PKT_USER_ID:
+ case PKT_ATTRIBUTE:
+ case PKT_SIGNATURE:
+ break; /* Allowed per RFC. */
+
+ default:
+ /* Note that can't allow ring trust packets here and some of
+ the other GPG specific packets don't make sense either. */
+ log_error ("skipped packet of type %d in keybox\n",
+ (int)pkt->pkttype);
free_packet(pkt);
init_packet(pkt);
continue;
}
+ /* Other sanity checks. */
if (!in_cert && pkt->pkttype != PKT_PUBLIC_KEY)
{
log_error ("parse_keyblock_image: first packet in a keybox blob "
diff --git a/g10/keyring.c b/g10/keyring.c
index 6060f08..ee76e8a 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -406,12 +406,31 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb)
rc = GPG_ERR_INV_KEYRING;
break;
}
- if (pkt->pkttype == PKT_COMPRESSED) {
- log_error ("skipped compressed packet in keyring\n");
+
+ /* Filter allowed packets. */
+ switch (pkt->pkttype)
+ {
+ case PKT_PUBLIC_KEY:
+ case PKT_PUBLIC_SUBKEY:
+ case PKT_SECRET_KEY:
+ case PKT_SECRET_SUBKEY:
+ case PKT_USER_ID:
+ case PKT_ATTRIBUTE:
+ case PKT_SIGNATURE:
+ break; /* Allowed per RFC. */
+ case PKT_RING_TRUST:
+ case PKT_OLD_COMMENT:
+ case PKT_COMMENT:
+ case PKT_GPG_CONTROL:
+ break; /* Allowed by us. */
+
+ default:
+ log_error ("skipped packet of type %d in keyring\n",
+ (int)pkt->pkttype);
free_packet(pkt);
init_packet(pkt);
continue;
- }
+ }
if (in_cert && (pkt->pkttype == PKT_PUBLIC_KEY
|| pkt->pkttype == PKT_SECRET_KEY)) {
@@ -478,7 +497,7 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb)
if (rc || !ret_kb)
release_kbnode (keyblock);
else {
- /*(duplicated form the loop body)*/
+ /*(duplicated from the loop body)*/
if ( pkt && pkt->pkttype == PKT_RING_TRUST
&& lastnode
&& lastnode->pkt->pkttype == PKT_SIGNATURE
commit 0835d2f44ef62eab51fce6a927908f544e01cf8f
Author: Werner Koch <wk at gnupg.org>
Date: Mon Feb 9 10:54:06 2015 +0100
gpg: Fix a NULL-deref in export due to invalid packet lengths.
* g10/build-packet.c (write_fake_data): Take care of a NULL stored as
opaque MPI.
--
Reported-by: Hanno Böck <hanno at hboeck.de>
Test data:
gpg2 --no-default-keyring --keyring FILE --export
With this unpacked data for FILE:
-----BEGIN PGP ARMORED FILE-----
Version: GnuPG v2
Comment: Use "gpg --dearmor" for unpacking
mI0EGRkZGRkZGRkZGRkZGRkBGRkZGRkZGRkZGRkZGQAZGRkZGRkZGRkZGRkZGRkZ
GRkZInzgDbpa/9gQ4wq9////f3Vy81CkyVq3HQaqgZLZOeqPjM7XgGh5hJvAkpec
9wAAAgDHe0FVFbkppJZXP+gFs6z3gobS0qUFeyTtxs+wAgAD
=JDFT
-----END PGP ARMORED FILE-----
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/g10/build-packet.c b/g10/build-packet.c
index 6bd1c9b..cda753c 100644
--- a/g10/build-packet.c
+++ b/g10/build-packet.c
@@ -261,6 +261,9 @@ write_fake_data (IOBUF out, gcry_mpi_t a)
if (!a)
return 0;
p = gcry_mpi_get_opaque ( a, &n);
+ if (!p)
+ return 0; /* For example due to a read error in
+ parse-packet.c:read_rest. */
return iobuf_write (out, p, (n+7)/8 );
}
@@ -305,9 +308,9 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk)
nskey = pubkey_get_nskey (pk->pubkey_algo);
npkey = pubkey_get_npkey (pk->pubkey_algo);
- /* If we don't have any public parameters - which is the case if we
- don't know the algorithm used - the parameters are stored as one
- blob in a faked (opaque) MPI. */
+ /* If we don't have any public parameters - which is for example the
+ case if we don't know the algorithm used - the parameters are
+ stored as one blob in a faked (opaque) MPI. */
if (!npkey)
{
write_fake_data (a, pk->pkey[0]);
commit 39978487863066e59bb657f5fe4e8baab510da7e
Author: Werner Koch <wk at gnupg.org>
Date: Mon Feb 9 10:21:19 2015 +0100
gpg: Fix a NULL-deref due to empty ring trust packets.
* g10/parse-packet.c (parse_trust): Always allocate a packet.
--
Reported-by: Hanno Böck <hanno at hboeck.de>
Signed-off-by: Werner Koch <wk at gnupg.org>
Test data:
gpg2 --no-default-keyring --keyring FILE --export
With this unpacked data for FILE:
-----BEGIN PGP ARMORED FILE-----
Version: GnuPG v2
Comment: Use "gpg --dearmor" for unpacking
mI0EVNP2zQEEALvETPVDCJDBXkegF4esiV1fqlne40yJnCmJeDEJYocwFPXfFA86
sSGjInzgDbpbC9gQPwq91Qe9x3Vy81CkyVonPOejhINlzfpzqAAa3A6viJccZTwt
DJ8E/I9jg53sbYW8q+VgfLn1hlggH/XQRT0HkXMP5y9ClURYnTsNwJhXABEBAAG0
CXRlc3QgdGVzdIi5BBMBCgAjBQJU0/bNAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC
HgECF4AACgkQlsmuCapsqYLvtQP/byY0tM0Lc3moftbHQZ2eHj9ykLjsCjeMDfPx
kZUUtUS3HQaqgZLZOeqPjM7XgGh5hJsd9pfhmRWJ0x+iGB47XQNpRTtdLBV/WMCS
l5z3uW7e9Md7QVUVuSlJnBgQHTS6EgP8JQadPkAiF+jgpJZXP+gFs2j3gobS0qUF
eyTtxs+wAAAD
=puSt
-----END PGP ARMORED FILE-----
diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index 524fabe..012d373 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -2596,11 +2596,11 @@ parse_trust (IOBUF inp, int pkttype, unsigned long pktlen, PACKET * pkt)
(void) pkttype;
+ pkt->pkt.ring_trust = xmalloc (sizeof *pkt->pkt.ring_trust);
if (pktlen)
{
c = iobuf_get_noeof (inp);
pktlen--;
- pkt->pkt.ring_trust = xmalloc (sizeof *pkt->pkt.ring_trust);
pkt->pkt.ring_trust->trustval = c;
pkt->pkt.ring_trust->sigcache = 0;
if (!c && pktlen == 1)
@@ -2619,6 +2619,8 @@ parse_trust (IOBUF inp, int pkttype, unsigned long pktlen, PACKET * pkt)
}
else
{
+ pkt->pkt.ring_trust->trustval = 0;
+ pkt->pkt.ring_trust->sigcache = 0;
if (list_mode)
es_fprintf (listfp, ":trust packet: empty\n");
}
-----------------------------------------------------------------------
Summary of changes:
g10/build-packet.c | 9 ++++++---
g10/keydb.c | 27 ++++++++++++++++++---------
g10/keyring.c | 27 +++++++++++++++++++++++----
g10/parse-packet.c | 4 +++-
4 files changed, 50 insertions(+), 17 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list