heap overflow in gpg 1.2.1

[omnihil]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This doesn't appear to be exploitable on any platforms I know of due to
the character range validation that occurs. However, it's still a silly
bug and would be good to fix. First, the reproduce case:

gpg --keyserver hkp://www.yahoo.com:`perl -e 'print "9"x5000'` --search a

The problem is with sprintf() to form the URL (in the search case, but I
saw one or two other identical bugs in URL-forming). The buffer is formed
with a sum of strlens, but instead of a strlen() on the port there's just
a "+ 100" or a "+ 50" or whatever (depending on which malloc/sprintf pair
you look at). This means the heap is overflowed if the port # provided is
longer than that many bytes. Change it to a strlen() and everything will
be happy.

hermes at camel.ethereal.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+qGVFs5rhqABIrF4RAnn9AKDMvTJ/7piRd5L/0PoSUpl6ZfW+dgCfemAv
2j7AhDqCfSEo696IdDXmQVI=
=uRDg
-----END PGP SIGNATURE-----