Bug Report: Client DOS in g10 keyserver search

Simon Josefsson simon at josefsson.org
Thu Apr 26 13:15:08 CEST 2007

"Christoph M. Wintersteiger" <christoph.wintersteiger at inf.ethz.ch>

> At least versions 1.4.4, 1.4.7 and 2.0.3 of GnuPG allow malicious
> keyservers to crash a client when searching for keys. The bug is due to
> an incorrect implementation of trailing whitespace removal from a
> keyservers response. 
> The bug can be found in g10/keyserver.c at 
> line 1410 (version 1.4.4)
> line 1415 (version 1.4.7)
> line 1424 (version 2.0.3),
> which reads
> plen[ptr]='\0';
> Obviously the two variables have been reversed and the line should be
> corrected to 
> ptr[plen]='\0'; 

I thought those two statements were equivalent in C.

Can you trigger the bug in practice?


More information about the Gnupg-devel mailing list