Bug Report: Client DOS in g10 keyserver search

Christoph M. Wintersteiger christoph.wintersteiger at inf.ethz.ch
Thu Apr 26 11:34:13 CEST 2007


At least versions 1.4.4, 1.4.7 and 2.0.3 of GnuPG allow malicious
keyservers to crash a client when searching for keys. The bug is due to
an incorrect implementation of trailing whitespace removal from a
keyservers response. 

The bug can be found in g10/keyserver.c at 
line 1410 (version 1.4.4)
line 1415 (version 1.4.7)
line 1424 (version 2.0.3),
which reads
plen[ptr]='\0';

Obviously the two variables have been reversed and the line should be
corrected to 
ptr[plen]='\0'; 

At least versions 2.95, 3.2.3 and 4.1.2 of GCC do not warn when casting
the unsigned to a pointer and the pointer to an index.

Regards,
CM Wintersteiger




More information about the Gnupg-devel mailing list