Clarification on advisories

Werner Koch wk at
Mon Mar 23 13:20:24 CET 2015

On Mon, 23 Mar 2015 11:05, venture37 at said:

> Are the applicable parts of the issues highlighted here:
> Backported to 2.0.27?

Yes, all four:

1. 39978487863066e59bb657f5fe4e8baab510da7e

  commit 7e12ec4c7d6df29a7d7935399fccd2594ebb4a7e
  Author: Werner Koch <wk at>
  Date:   Thu Feb 12 18:52:07 2015 +0100

    gpg: Fix a NULL-deref due to empty ring trust packets.
    * g10/parse-packet.c (parse_trust): Always allocate a packet.
    Reported-by: Hanno Böck <hanno at>
    Signed-off-by: Werner Koch <wk at>
    (back ported from commit 39978487863066e59bb657f5fe4e8baab510da7e)

2. 0835d2f44ef62eab51fce6a927908f544e01cf8f

  commit 8da836e76f1349f4587d1bb74864b11dde7b8a39
  Author: Werner Koch <wk at>
  Date:   Thu Feb 12 18:54:17 2015 +0100

    gpg: Fix a NULL-deref in export due to invalid packet lengths.
    * g10/build-packet.c (write_fake_data): Take care of a NULL stored as
    opaque MPI.
    Reported-by: Hanno Böck <hanno at>
    (back ported from commit 0835d2f44ef62eab51fce6a927908f544e01cf8f)

3. 0f71a721ccd7ab9e40b8b6b028b59632c0cc648

  commit 824d88ac51b4d680f06e68f0879a7c1ec03cb2ba
  Author: Werner Koch <wk at>
  Date:   Thu Feb 12 18:58:36 2015 +0100

    gpg: Prevent an invalid memory read using a garbled keyring.
    * g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
    The keyring DB code did not reject packets which don't belong into a
    keyring.  If for example the keyblock contains a literal data packet
    it is expected that the processing code stops at the data packet and
    reads from the input stream which is referenced from the data packets.
    Obviously the keyring processing code does not and cannot do that.
    However, when exporting this messes up the IOBUF and leads to an
    invalid read of sizeof (int).
    We now skip all packets which are not allowed in a keyring.
    Reported-by: Hanno Böck <hanno at>
    (back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)

4. 2183683bd633818dd031b090b5530951de76f392

  commit 3627123dc8fdc551caca1c7944713fbf01feccf6
  Author: Werner Koch <wk at>
  Date:   Thu Feb 12 20:34:44 2015 +0100

    Use inline functions to convert buffer data to scalars.
    * include/host2net.h (buf16_to_ulong, buf16_to_uint): New.
    (buf16_to_ushort, buf16_to_u16): New.
    (buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.
    This fixes sign extension on shift problems.  Hanno Böck found a case
    with an invalid read due to this problem.  To fix that almost all uses
    of "<< 24" and "<< 8" are changed by this patch to use an inline
    function from host2net.h.
    (back ported from commit 2183683bd633818dd031b090b5530951de76f392)

and releases with 2.0.27

  commit 8d47e6e5235b6ecb41baf52865c5837c1de962b5
  Author: Werner Koch <wk at>
  Date:   Wed Feb 18 14:10:57 2015 +0100

    Release 2.0.27



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list