[git] GnuPG - branch, master, updated. gnupg-2.1.8-59-g75c64c2

by Werner Koch cvs at cvs.gnupg.org
Fri Oct 2 11:35:16 CEST 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, master has been updated
       via  75c64c2b6d77856b90903cc3b7c6a2f62ff8eb7b (commit)
       via  ddf9dd135acd2b3635bb986f6dfc0e4e446d5fad (commit)
      from  2acceba5cc299796c7b5b1851a9baeb75d9f32a1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 75c64c2b6d77856b90903cc3b7c6a2f62ff8eb7b
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Oct 2 11:31:45 2015 +0200

    dirmngr: Fix use-after-free due to a realloc shrinking.
    
    * dirmngr/ks-engine-hkp.c (map_host): Do not use original pointer
    after realloc.
    --
    
    vex01 reported and debugged the problem.
    
    GnuPG-bug-id: 2107
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 18ad731..411f108 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -383,7 +383,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
           int n_v6, n_v4;
 
           /* First figure out whether this is a pool.  For a pool we
-             use a different strategy than for a plains erver: We use
+             use a different strategy than for a plain server: We use
              the canonical name of the pool as the virtual host along
              with the IP addresses.  If it is not a pool, we use the
              specified name. */
@@ -512,7 +512,7 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
               xfree (reftbl);
               return err;
             }
-          qsort (reftbl, refidx, sizeof *reftbl, sort_hostpool);
+          qsort (hi->pool, refidx, sizeof *reftbl, sort_hostpool);
         }
       else
         xfree (reftbl);

commit ddf9dd135acd2b3635bb986f6dfc0e4e446d5fad
Author: Werner Koch <wk at gnupg.org>
Date:   Thu Oct 1 13:21:25 2015 +0200

    agent: Fix alignment problem with the second passphrase struct.
    
    * agent/genkey.c (agent_ask_new_passphrase): Use a separate malloc for
    PI2.  Check return value of the malloc function.
    * agent/command-ssh.c (ssh_identity_register): Use a separate malloc
    for PI2.  Wipe PI2.
    --
    
    For whatever stupid reasons I once allocated only one memory area and
    split that into PI and PI2.  This is actually a common pattern with
    malloc but here we used a made up object size and do not take the
    extra alignment required into account.  One of these not yet hit by
    a (sig)bus PC/VAX hacker bugs.
    
    Instead of trying to fix the alignment, it is better to use a second
    calloc for the second struct.
    
    GnuPG-bug-id: 2112
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index 8be1255..0aa0098 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -3070,7 +3070,8 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
   char *comment = NULL;
   char *key_fpr = NULL;
   const char *initial_errtext = NULL;
-  struct pin_entry_info_s *pi = NULL, *pi2;
+  struct pin_entry_info_s *pi = NULL;
+  struct pin_entry_info_s *pi2 = NULL;
 
   err = ssh_key_grip (key, key_grip_raw);
   if (err)
@@ -3101,13 +3102,18 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
       goto out;
     }
 
-  pi = gcry_calloc_secure (2, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1);
+  pi = gcry_calloc_secure (1, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1);
   if (!pi)
     {
       err = gpg_error_from_syserror ();
       goto out;
     }
-  pi2 = pi + (sizeof *pi + MAX_PASSPHRASE_LEN + 1);
+  pi2 = gcry_calloc_secure (1, sizeof (*pi2) + MAX_PASSPHRASE_LEN + 1);
+  if (!pi2)
+    {
+      err = gpg_error_from_syserror ();
+      goto out;
+    }
   pi->max_length = MAX_PASSPHRASE_LEN + 1;
   pi->max_tries = 1;
   pi->with_repeat = 1;
@@ -3155,6 +3161,9 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec,
 
 
  out:
+  if (pi2 && pi2->max_length)
+    wipememory (pi2->pin, pi2->max_length);
+  xfree (pi2);
   if (pi && pi->max_length)
     wipememory (pi->pin, pi->max_length);
   xfree (pi);
diff --git a/agent/genkey.c b/agent/genkey.c
index 13858ca..e8195c2 100644
--- a/agent/genkey.c
+++ b/agent/genkey.c
@@ -374,8 +374,16 @@ agent_ask_new_passphrase (ctrl_t ctrl, const char *prompt,
 	return err;
     }
 
-  pi = gcry_calloc_secure (2, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1);
-  pi2 = pi + (sizeof *pi + MAX_PASSPHRASE_LEN + 1);
+  pi = gcry_calloc_secure (1, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1);
+  if (!pi)
+    return gpg_error_from_syserror ();
+  pi2 = gcry_calloc_secure (1, sizeof (*pi2) + MAX_PASSPHRASE_LEN + 1);
+  if (!pi2)
+    {
+      err = gpg_error_from_syserror ();
+      xfree (pi2);
+      return err;
+    }
   pi->max_length = MAX_PASSPHRASE_LEN + 1;
   pi->max_tries = 3;
   pi->with_qualitybar = 1;
@@ -422,6 +430,7 @@ agent_ask_new_passphrase (ctrl_t ctrl, const char *prompt,
     }
 
   xfree (initial_errtext);
+  xfree (pi2);
   xfree (pi);
   return err;
 }

-----------------------------------------------------------------------

Summary of changes:
 agent/command-ssh.c     | 15 ++++++++++++---
 agent/genkey.c          | 13 +++++++++++--
 dirmngr/ks-engine-hkp.c |  4 ++--
 3 files changed, 25 insertions(+), 7 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list