[PATCH GnuPG] Disallow compressed signatures and certificates

Demi Marie Obenour demiobenour at gmail.com
Tue Oct 25 06:11:46 CEST 2022


On 10/9/22 20:10, Demi Marie Obenour wrote:
> Compressed packets have significant attack surface, due to the potential
> for both denial of service (zip bombs and the like) and for code
> execution via memory corruption vulnerabilities in the decompressor.
> Furthermore, I am not aware of any implementation that uses them in keys
> or detached signatures.  Therefore, disallow their use in such contexts
> entirely.  This includes signatures that are part of a cleartext-signed
> message.
> 
> When parsing detached signatures, forbid any packet that is not a
> signature or marker packet.  When parsing keys, return an error when
> encountering a compressed packet, instead of decompressing the packet.
> When parsing a cleartext-signed message, the signature (and any data
> that follows it) is treated as a detached signature.
> 
> Furthermore, certificates, keys, and signatures are not allowed to
> contain partial-length or indeterminate-length packets.  Reject those in
> parse_packet, rather than activating the partial-length filter code.
> 
> GnuPG-bug-id: T5993
> Signed-off-by: Demi Marie Obenour <demiobenour at gmail.com>

Would it be possible to review this patch, and (if possible) to merge it?
This fixes a denial of service security vulnerability in some applications.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 4885 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221025/bd11e4c0/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20221025/bd11e4c0/attachment-0001.sig>


More information about the Gnupg-devel mailing list