Bug Report: Client DOS in g10 keyserver search

Christoph M. Wintersteiger christoph.wintersteiger at inf.ethz.ch
Thu Apr 26 11:34:13 CEST 2007

At least versions 1.4.4, 1.4.7 and 2.0.3 of GnuPG allow malicious
keyservers to crash a client when searching for keys. The bug is due to
an incorrect implementation of trailing whitespace removal from a
keyservers response. 

The bug can be found in g10/keyserver.c at 
line 1410 (version 1.4.4)
line 1415 (version 1.4.7)
line 1424 (version 2.0.3),
which reads

Obviously the two variables have been reversed and the line should be
corrected to 

At least versions 2.95, 3.2.3 and 4.1.2 of GCC do not warn when casting
the unsigned to a pointer and the pointer to an index.

CM Wintersteiger

More information about the Gnupg-devel mailing list