[arch-commits] Commit in gnupg/trunk (3 files)
Gaetan Bisson
bisson at archlinux.org
Fri Nov 28 19:53:52 UTC 2014
Date: Friday, November 28, 2014 @ 20:53:51
Author: bisson
Revision: 227171
fix FS#42943
Added:
gnupg/trunk/oid2str-overflow.patch
gnupg/trunk/subpacket-off.patch
Modified:
gnupg/trunk/PKGBUILD
------------------------+
PKGBUILD | 8 ++++-
oid2str-overflow.patch | 72 +++++++++++++++++++++++++++++++++++++++++++++++
subpacket-off.patch | 38 ++++++++++++++++++++++++
3 files changed, 117 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-11-28 19:39:28 UTC (rev 227170)
+++ PKGBUILD 2014-11-28 19:53:51 UTC (rev 227171)
@@ -6,7 +6,7 @@
pkgname=gnupg
pkgver=2.1.0
-pkgrel=5
+pkgrel=6
pkgdesc='Complete and free implementation of the OpenPGP standard'
url='http://www.gnupg.org/'
license=('GPL')
@@ -17,9 +17,13 @@
depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan'
'pinentry' 'bzip2' 'readline')
source=("ftp://ftp.gnupg.org/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
+ 'oid2str-overflow.patch'
+ 'subpacket-off.patch'
'refresh-keys.patch'
'hash-ecdsa.patch')
sha1sums=('2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33' 'SKIP'
+ '774f7fe541428f45ee145c763cf5634264e3bc69'
+ '1a86b834904c7d18d932ad1bb44d3642990d3cbd'
'246bea8776882f4c0293685482558f6ead1cf902'
'b9bd644276aa1c1a3fcaed82e65eecccfd1f36ed')
@@ -31,6 +35,8 @@
prepare() {
cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p1 -i ../oid2str-overflow.patch
+ patch -p1 -i ../subpacket-off.patch
patch -p1 -i ../refresh-keys.patch
patch -p1 -i ../hash-ecdsa.patch
}
Added: oid2str-overflow.patch
===================================================================
--- oid2str-overflow.patch (rev 0)
+++ oid2str-overflow.patch 2014-11-28 19:53:51 UTC (rev 227171)
@@ -0,0 +1,72 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 25 Nov 2014 10:58:56 +0000 (+0100)
+Subject: Fix buffer overflow in openpgp_oid_to_str.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da;hp=28dafd4714a9b01d3a6f1e6e5919bf6f909987c7
+
+Fix buffer overflow in openpgp_oid_to_str.
+
+* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
+
+* common/t-openpgp-oid.c (BADOID): New.
+(test_openpgp_oid_to_str): Add test cases.
+--
+
+The code has an obvious error by not considering invalid encoding for
+arc-2. A first byte of 0x80 can be used to make a value of less then
+80 and we then subtract 80 from that value as required by the OID
+encoding rules. Due to the unsigned integer this results in a pretty
+long value which won't fit anymore into the allocated buffer.
+
+The fix is obvious. Also added a few simple test cases. Note that we
+keep on using sprintf instead of snprintf because managing the
+remaining length of the buffer would probably be more error prone than
+assuring that the buffer is large enough. Getting rid of sprintf
+altogether by using direct conversion along with membuf_t like code
+might be possible.
+
+Reported-by: Hanno Böck
+Signed-off-by: Werner Koch <wk at gnupg.org>
+
+Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
+---
+
+diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
+index 010c23f..d3d1f2a 100644
+--- a/common/openpgp-oid.c
++++ b/common/openpgp-oid.c
+@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
+ val <<= 7;
+ val |= buf[n] & 0x7f;
+ }
++ if (val < 80)
++ goto badoid;
+ val -= 80;
+ sprintf (p, "2.%lu", val);
+ p += strlen (p);
+diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
+index 79e5a70..5cd778d 100644
+--- a/common/t-openpgp-oid.c
++++ b/common/t-openpgp-oid.c
+@@ -32,6 +32,9 @@
+ } while(0)
+
+
++#define BADOID "1.3.6.1.4.1.11591.2.12242973"
++
++
+ static void
+ test_openpgp_oid_from_str (void)
+ {
+@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
+ { "1.3.132.0.35",
+ { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
+
++ { BADOID,
++ { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
++
++ { BADOID,
++ { 1, 0x80 }},
++
+ { NULL }};
+ gcry_mpi_t a;
+ int idx;
Added: subpacket-off.patch
===================================================================
--- subpacket-off.patch (rev 0)
+++ subpacket-off.patch 2014-11-28 19:53:51 UTC (rev 227171)
@@ -0,0 +1,38 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 24 Nov 2014 16:28:25 +0000 (+0100)
+Subject: gpg: Fix off-by-one read in the attribute subpacket parser.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=0988764397f99db4efef1eabcdb8072d6159af76;hp=b716e6a69919b89c7887d6c7c9b97e58d18fdf95
+
+gpg: Fix off-by-one read in the attribute subpacket parser.
+
+* g10/parse-packet.c (parse_attribute_subpkts): Check that the
+attribute packet is large enough for the subpacket type.
+--
+
+Reported-by: Hanno Böck
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+
+diff --git a/g10/parse-packet.c b/g10/parse-packet.c
+index e0370aa..f75e21c 100644
+--- a/g10/parse-packet.c
++++ b/g10/parse-packet.c
+@@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid)
+ if (buflen < n)
+ goto too_short;
+
+- attribs =
+- xrealloc (attribs, (count + 1) * sizeof (struct user_attribute));
++ if (!n)
++ {
++ /* Too short to encode the subpacket type. */
++ if (opt.verbose)
++ log_info ("attribute subpacket too short\n");
++ break;
++ }
++
++ attribs = xrealloc (attribs,
++ (count + 1) * sizeof (struct user_attribute));
+ memset (&attribs[count], 0, sizeof (struct user_attribute));
+
+ type = *buffer;
More information about the arch-commits
mailing list