[git] GnuPG - branch, STABLE-BRANCH-2-0, updated. gnupg-2.0.26-34-gd2b0e61

by Werner Koch cvs at cvs.gnupg.org
Tue Jan 13 02:45:23 CET 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, STABLE-BRANCH-2-0 has been updated
       via  d2b0e613131d52da54c3dbd72f4bfba8f7b71ad3 (commit)
      from  d92fe965f3290a200d0a578decdd0867817b3b7b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d2b0e613131d52da54c3dbd72f4bfba8f7b71ad3
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Dec 12 10:41:25 2014 +0100

    gpg: Fix possible read of unallocated memory
    
    * g10/parse-packet.c (can_handle_critical): Check content length
    before calling can_handle_critical_notation.
    --
    
    The problem was found by Jan Bee and gniibe proposed the used fix.
    Thanks.
    
    This bug can't be exploited: Only if the announced length of the
    notation is 21 or 32 a memcmp against fixed strings using that length
    would be done.  The compared data is followed by the actual signature
    and thus it is highly likely that not even read of unallocated memory
    will happen.  Nevertheless such a bug needs to be fixed.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index 63b97f0..1048402 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -1196,10 +1196,13 @@ can_handle_critical( const byte *buffer, size_t n, int type )
   switch( type )
     {
     case SIGSUBPKT_NOTATION:
-      if(n>=8)
-	return can_handle_critical_notation(buffer+8,(buffer[4]<<8)|buffer[5]);
-      else
-	return 0;
+      if (n >= 8)
+	{
+	  size_t notation_len = ((buffer[4] << 8) | buffer[5]);
+	  if (n - 8 >= notation_len)
+	    return can_handle_critical_notation (buffer + 8, notation_len);
+	}
+      return 0;
     case SIGSUBPKT_SIGNATURE:
     case SIGSUBPKT_SIG_CREATED:
     case SIGSUBPKT_SIG_EXPIRE:

-----------------------------------------------------------------------

Summary of changes:
 g10/parse-packet.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list