[arch-commits] Commit in gnupg/trunk (3 files)

Gaetan Bisson bisson at archlinux.org
Fri Nov 28 19:53:52 UTC 2014 

    Date: Friday, November 28, 2014 @ 20:53:51
  Author: bisson
Revision: 227171

fix FS#42943

Added:
  gnupg/trunk/oid2str-overflow.patch
  gnupg/trunk/subpacket-off.patch
Modified:
  gnupg/trunk/PKGBUILD

------------------------+
 PKGBUILD               |    8 ++++-
 oid2str-overflow.patch |   72 +++++++++++++++++++++++++++++++++++++++++++++++
 subpacket-off.patch    |   38 ++++++++++++++++++++++++
 3 files changed, 117 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-11-28 19:39:28 UTC (rev 227170)
+++ PKGBUILD	2014-11-28 19:53:51 UTC (rev 227171)
@@ -6,7 +6,7 @@
 
 pkgname=gnupg
 pkgver=2.1.0
-pkgrel=5
+pkgrel=6
 pkgdesc='Complete and free implementation of the OpenPGP standard'
 url='http://www.gnupg.org/'
 license=('GPL')
@@ -17,9 +17,13 @@
 depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan'
          'pinentry' 'bzip2' 'readline')
 source=("ftp://ftp.gnupg.org/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
+        'oid2str-overflow.patch'
+        'subpacket-off.patch'
         'refresh-keys.patch'
         'hash-ecdsa.patch')
 sha1sums=('2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33' 'SKIP'
+          '774f7fe541428f45ee145c763cf5634264e3bc69'
+          '1a86b834904c7d18d932ad1bb44d3642990d3cbd'
           '246bea8776882f4c0293685482558f6ead1cf902'
           'b9bd644276aa1c1a3fcaed82e65eecccfd1f36ed')
 
@@ -31,6 +35,8 @@
 
 prepare() {
 	cd "${srcdir}/${pkgname}-${pkgver}"
+	patch -p1 -i ../oid2str-overflow.patch
+	patch -p1 -i ../subpacket-off.patch
 	patch -p1 -i ../refresh-keys.patch
 	patch -p1 -i ../hash-ecdsa.patch
 }

Added: oid2str-overflow.patch
===================================================================
--- oid2str-overflow.patch	                        (rev 0)
+++ oid2str-overflow.patch	2014-11-28 19:53:51 UTC (rev 227171)
@@ -0,0 +1,72 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 25 Nov 2014 10:58:56 +0000 (+0100)
+Subject: Fix buffer overflow in openpgp_oid_to_str.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da;hp=28dafd4714a9b01d3a6f1e6e5919bf6f909987c7
+
+Fix buffer overflow in openpgp_oid_to_str.
+
+* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
+
+* common/t-openpgp-oid.c (BADOID): New.
+(test_openpgp_oid_to_str): Add test cases.
+--
+
+The code has an obvious error by not considering invalid encoding for
+arc-2.  A first byte of 0x80 can be used to make a value of less then
+80 and we then subtract 80 from that value as required by the OID
+encoding rules.  Due to the unsigned integer this results in a pretty
+long value which won't fit anymore into the allocated buffer.
+
+The fix is obvious.  Also added a few simple test cases.  Note that we
+keep on using sprintf instead of snprintf because managing the
+remaining length of the buffer would probably be more error prone than
+assuring that the buffer is large enough.  Getting rid of sprintf
+altogether by using direct conversion along with membuf_t like code
+might be possible.
+
+Reported-by: Hanno Böck
+Signed-off-by: Werner Koch <wk at gnupg.org>
+
+Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
+---
+
+diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
+index 010c23f..d3d1f2a 100644
+--- a/common/openpgp-oid.c
++++ b/common/openpgp-oid.c
+@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
+         val <<= 7;
+         val |= buf[n] & 0x7f;
+       }
++    if (val < 80)
++      goto badoid;
+     val -= 80;
+     sprintf (p, "2.%lu", val);
+     p += strlen (p);
+diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
+index 79e5a70..5cd778d 100644
+--- a/common/t-openpgp-oid.c
++++ b/common/t-openpgp-oid.c
+@@ -32,6 +32,9 @@
+   } while(0)
+ 
+ 
++#define BADOID "1.3.6.1.4.1.11591.2.12242973"
++
++
+ static void
+ test_openpgp_oid_from_str (void)
+ {
+@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
+     { "1.3.132.0.35",
+       { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
+ 
++    { BADOID,
++      { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
++
++    { BADOID,
++      { 1, 0x80 }},
++
+     { NULL }};
+   gcry_mpi_t a;
+   int idx;

Added: subpacket-off.patch
===================================================================
--- subpacket-off.patch	                        (rev 0)
+++ subpacket-off.patch	2014-11-28 19:53:51 UTC (rev 227171)
@@ -0,0 +1,38 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 24 Nov 2014 16:28:25 +0000 (+0100)
+Subject: gpg: Fix off-by-one read in the attribute subpacket parser.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=0988764397f99db4efef1eabcdb8072d6159af76;hp=b716e6a69919b89c7887d6c7c9b97e58d18fdf95
+
+gpg: Fix off-by-one read in the attribute subpacket parser.
+
+* g10/parse-packet.c (parse_attribute_subpkts): Check that the
+attribute packet is large enough for the subpacket type.
+--
+
+Reported-by: Hanno Böck
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+
+diff --git a/g10/parse-packet.c b/g10/parse-packet.c
+index e0370aa..f75e21c 100644
+--- a/g10/parse-packet.c
++++ b/g10/parse-packet.c
+@@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid)
+       if (buflen < n)
+ 	goto too_short;
+ 
+-      attribs =
+-	xrealloc (attribs, (count + 1) * sizeof (struct user_attribute));
++      if (!n)
++        {
++          /* Too short to encode the subpacket type.  */
++          if (opt.verbose)
++            log_info ("attribute subpacket too short\n");
++          break;
++        }
++
++      attribs = xrealloc (attribs,
++                          (count + 1) * sizeof (struct user_attribute));
+       memset (&attribs[count], 0, sizeof (struct user_attribute));
+ 
+       type = *buffer;

More information about the arch-commits mailing list