[Announce] GnuPG 1.4 and 2.0 buffer overflow

Werner Koch wk at gnupg.org
Tue Nov 28 09:17:37 CET 2006


On Mon, 27 Nov 2006 19:46, ca+gnupg at esmtp.org said:

> Wouldn't it be more secure to replace sprintf with snprintf
> (and the proper length restriction of course)?
>
>          snprintf(prompt, n, "%s [%s]: ", s, defname );

Actually I did this in the 2.0 SVN.  However by the time I wrote that
code, snprintf was not available on all platforms and even worse
existing implementations had bugs, like forgetting to append a Nul.

> (same for strcpy() -> strlcpy(), strcat() -> strlcat(), etc).

No.  I consider the OpenSBD approach flawed.  Simply cutting off
strings helps agains buffer overflows but there are other problems:
You increase the complexity of the code because you need to track to
string termination conditions.  You change what the code does and
somewhere else you run into problems because important properties of
the cut-off string are missing.  Think of an API which takes the
presence of a keyword to encrypt or not to encrypt the output.  The
code using strlcpy might be used to skip over comments and voila you
have a neat way of controlling a remote application.

If you want protection against buffer overflow, audit the code and use
an OS which traps execution of code at arbitrary addresses.


Shalom-Salam,

   Werner




More information about the Gnupg-devel mailing list