File 0001-gpg-Prevent-an-invalid-memory-read-using-a... of Package gpg2

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-gpg-Prevent-an-invalid-memory-read-using-a-garbled-k.patch of Package gpg2

From 824d88ac51b4d680f06e68f0879a7c1ec03cb2ba Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 12 Feb 2015 18:58:36 +0100
Subject: [PATCH] gpg: Prevent an invalid memory read using a garbled keyring.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
--

The keyring DB code did not reject packets which don't belong into a
keyring.  If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).

We now skip all packets which are not allowed in a keyring.

Reported-by: Hanno Böck <hanno@hboeck.de>

(back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)
---
 g10/keyring.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

Index: gnupg-2.0.24/g10/keyring.c
===================================================================
--- gnupg-2.0.24.orig/g10/keyring.c	2014-06-24 13:50:15.000000000 +0200
+++ gnupg-2.0.24/g10/keyring.c	2015-11-19 14:16:28.759448925 +0100
@@ -412,8 +412,26 @@ keyring_get_keyblock (KEYRING_HANDLE hd,
             rc = G10ERR_INV_KEYRING;
             break;
         }
-	if (pkt->pkttype == PKT_COMPRESSED) {
-	    log_error ("skipped compressed packet in keyring\n");
+
+        /* Filter allowed packets.  */
+        switch (pkt->pkttype){
+          case PKT_PUBLIC_KEY:
+          case PKT_PUBLIC_SUBKEY:
+          case PKT_SECRET_KEY:
+          case PKT_SECRET_SUBKEY:
+          case PKT_USER_ID:
+          case PKT_ATTRIBUTE:
+          case PKT_SIGNATURE:
+            break; /* Allowed per RFC.  */
+          case PKT_RING_TRUST:
+          case PKT_OLD_COMMENT:
+          case PKT_COMMENT:
+          case PKT_GPG_CONTROL:
+            break; /* Allowed by us.  */
+
+          default:
+	    log_error ("skipped packet of type %d in keyring\n",
+                       (int)pkt->pkttype);
 	    free_packet(pkt);
 	    init_packet(pkt);
 	    continue;
@@ -484,7 +502,7 @@ keyring_get_keyblock (KEYRING_HANDLE hd,
     if (rc || !ret_kb)
 	release_kbnode (keyblock);
     else {
-        /*(duplicated form the loop body)*/
+        /*(duplicated from the loop body)*/
         if ( pkt && pkt->pkttype == PKT_RING_TRUST
              && lastnode 
              && lastnode->pkt->pkttype == PKT_SIGNATURE

Places

File 0001-gpg-Prevent-an-invalid-memory-read-using-a-garbled-k.patch of Package gpg2

Places