crash importing truncated subkeys

Tavis Ormandy taviso at gmail.com
Fri Apr 22 00:19:21 CEST 2022


Hello, I noticed that if there are two opaque identical public subkey
packets, but one is truncated, gpg crashes on import in gcry_mpi_cmp()

I just did this to repro:

$ gpgcompose --public-key taviso --public-subkey taviso \
    --user-id anything --public-subkey taviso           \
    | perl -p -e 's/(\xb9..\x04....)\x01/\1\xff/g'      \
    | head -c -1 | gpg --import
gpg: premature eof while reading rest of packet
gpg: signal Segmentation fault caught ... exiting
Segmentation fault

That ugly horrible regex is:

\xb9    : Find old-style public-subkey with 2 byte length
..      : skip over the length bytes
\x04    : looking for version 4
....    : skip over the timestamp
\x01    : change the algorithm so it's not recognized by gcry_mpi_cmp.

Then piping it into head to truncate the last packet.

I think it should work on any RSA public key, e.g. just replace
the --public-subkey taviso with the id, 4B092E28 works.

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso at sdf.org
_\_V _( ) _( )  @taviso




More information about the Gnupg-devel mailing list