heap overflow in gpg 1.2.1
omnihil
hermes at camel.ethereal.net
Fri Apr 25 01:28:02 CEST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This doesn't appear to be exploitable on any platforms I know of due to
the character range validation that occurs. However, it's still a silly
bug and would be good to fix. First, the reproduce case:
gpg --keyserver hkp://www.yahoo.com:`perl -e 'print "9"x5000'` --search a
The problem is with sprintf() to form the URL (in the search case, but I
saw one or two other identical bugs in URL-forming). The buffer is formed
with a sum of strlens, but instead of a strlen() on the port there's just
a "+ 100" or a "+ 50" or whatever (depending on which malloc/sprintf pair
you look at). This means the heap is overflowed if the port # provided is
longer than that many bytes. Change it to a strlen() and everything will
be happy.
hermes at camel.ethereal.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE+qGVFs5rhqABIrF4RAnn9AKDMvTJ/7piRd5L/0PoSUpl6ZfW+dgCfemAv
2j7AhDqCfSEo696IdDXmQVI=
=uRDg
-----END PGP SIGNATURE-----
More information about the Gnupg-devel
mailing list