Bug Report: Client DOS in g10 keyserver search
Simon Josefsson
simon at josefsson.org
Thu Apr 26 13:15:08 CEST 2007
"Christoph M. Wintersteiger" <christoph.wintersteiger at inf.ethz.ch>
writes:
> At least versions 1.4.4, 1.4.7 and 2.0.3 of GnuPG allow malicious
> keyservers to crash a client when searching for keys. The bug is due to
> an incorrect implementation of trailing whitespace removal from a
> keyservers response.
>
> The bug can be found in g10/keyserver.c at
> line 1410 (version 1.4.4)
> line 1415 (version 1.4.7)
> line 1424 (version 2.0.3),
> which reads
> plen[ptr]='\0';
>
> Obviously the two variables have been reversed and the line should be
> corrected to
> ptr[plen]='\0';
I thought those two statements were equivalent in C.
Can you trigger the bug in practice?
/Simon
More information about the Gnupg-devel
mailing list