Clarification on advisories
wk at gnupg.org
Mon Mar 23 10:48:12 CET 2015
On Mon, 23 Mar 2015 06:31, venture37 at gmail.com said:
> In the 1.4.19 announcement, the entry: "Fixed bugs related to bogus
> keyrings." is the fix for CVE-2015-1606?
The Debian announcement describes this as
The keyring parsing code did not properly reject certain packet types
not belonging in a keyring, which caused an access to memory already
freed. This could allow remote attackers to cause a denial of service
(crash) via crafted keyring files.
This seems to be about this fix:
gpg: Prevent an invalid memory read using a garbled keyring.
* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
The keyring DB code did not reject packets which don't belong into a
keyring. If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).
We now skip all packets which are not allowed in a keyring.
Reported-by: Hanno Böck <hanno at hboeck.de>
(back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)
[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
(I don't think that "access to memory already freed" is the right
> Am I right in thinking the issues found through fuzzing which led to
> the release of 2.1.2 still have not be back ported to previous
> releases? certainly most of the changes in the commits highlighted are
> applicable accounting for the change of line numbers.
I may not understand what your qyestion here. The commit you are
referring to is against 2.1 (current master) and not against 1.4. The
parts relevant to 1.4 and 2.0 have been ported back (see above for 1.4).
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users