From wk ΞΑ gnupg.org  Mon Nov  4 09:22:49 2013
From: wk ΞΑ gnupg.org (Werner Koch)
Date: Mon, 04 Nov 2013 09:22:49 +0100
Subject: [gnupg-ru] [Announce] Details on the GnuPG 1.4.15 and 2.0.22 release
In-Reply-To: <877gds3xkv.fsf@vigenere.g10code.de> (Werner Koch's message of
 "Sat, 05 Oct 2013 10:56:32 +0200")
References: <877gds3xkv.fsf@vigenere.g10code.de>
Message-ID: <87fvrck23q.fsf@vigenere.g10code.de>

Hi!

Taylor asked me to forward this background info:

On Sat,  5 Oct 2013 10:56, wk ΞΑ gnupg.org said:
> not yet been seen in the wild.  Details of the attack will eventually
> be published by its inventor.

  The zlib compression language that OpenPGP uses is powerful enough to
  express an OpenPGP compression quine -- that is, an OpenPGP compressed
  data packet that decompresses to itself -- causing infinite nesting of
  OpenPGP packets.  Source code to generate such a quine is at
  <http://mumble.net/~campbell/misc/pgp-quine/>.
  
  When fed the quine, older versions of GnuPG would blow the stack and
  crash.  GnuPG 1.4.15 and GnuPG 2.0.22 avoid this by setting a small
  constant bound on the depth of packet nesting.
  
  (This is similar to Tavis Ormandy's IPcomp compression quine, reported
  in CVE-2011-1547, which I didn't know about at the time I made the
  OpenPGP compression quine.  Both of us had read Russ Cox's article on
  zlib compression quines: <http://research.swtch.com/zip>.)



Salam-Shalom,

   Werner
  
-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-announce mailing list
Gnupg-announce ΞΑ gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce