SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   GnuPG (Gnu Privacy Guard) Vendors:   Gnupg.org
GnuPG Interactive Mode Buffer Overflow in make_printable_string() May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017291
SecurityTracker URL:  http://securitytracker.com/id/1017291
CVE Reference:   CVE-2006-6169   (Links to External Site)
Updated:  Dec 6 2006
Original Entry Date:  Nov 28 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.4.5, 2.0.0
Description:   A vulnerability was reported in GnuPG. A remote user can cause arbitrary code to be executed on the target system.

A remote user can create a specially crafted message that, when processed by the target user, will trigger a buffer overflow and potentially execute arbitrary code on the target system.

The vulnerability resides in the make_printable_string() function in 'openfile.c'.

The vulnerability can be triggered in interactive mode. Batch mode is not affected.

gpg-agent, gpgsm, gpgv, and other tools from the GnuPG suite are not affected.

The original bug report is available at:

https://bugs.g10code.com/gnupg/issue728

Impact:   A remote user may be able to cause arbitrary code to be executed on the target system.
Solution:   A fix is available via CVS. The vendor has also issued a patch.
Vendor URL:  www.gnupg.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 6 2006 (Red Hat Issues Fix) GnuPG Interactive Mode Buffer Overflow in make_printable_string() May Let Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, and 4.



 Source Message Contents

Subject:  GnuPG 1.4 and 2.0 buffer overflow

--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Transfer-Encoding: quoted-printable

            GnuPG 1.4 and 2.0 buffer overflow
           =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Summary
=3D=3D=3D=3D=3D=3D=3D

While fixing a bug reported by Hugh Warrington, a buffer overflow has
been identified in all released GnuPG versions.  The current versions
1.4.5 and 2.0.0 are affected.  A small patch is provided.

Please do not send private mail in response to this message.  The
mailing list gnupg-devel is the best place to discuss this problem
(please subscribe first so you don't need moderator approval [1]).


Impact
=3D=3D=3D=3D=3D=3D

When running GnuPG interactively, special crafted messages may be used
to crash gpg or gpg2.  Running gpg in batch mode, as done by all
software using gpg as a backend (e.g. mailers), is not affected by
this bug.

Exploiting this overflow seems to be possible.

gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not
affected.



Solution
=3D=3D=3D=3D=3D=3D=3D=3D

Apply the following patch to GnuPG.  It should apply cleanly to
current versions (1.4.5 as well as 2.0.0) but might also work for
older versions.=20

2006-11-27  Werner Koch  <wk@g10code.com>

	* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
	if make_printable_string returns a longer string.  Fixes bug 728.

=2D-- g10/openfile.c      (revision 4348)
+++ g10/openfile.c      (working copy)
@@ -144,8 +144,8 @@
=20
     s =3D _("Enter new filename");
=20
=2D    n =3D strlen(s) + namelen + 10;
     defname =3D name && namelen? make_printable_string( name, namelen, 0):=
 NULL;
+    n =3D strlen(s) + (defname?strlen (defname):0) + 10;
     prompt =3D xmalloc(n);
     if( defname )
        sprintf(prompt, "%s [%s]: ", s, defname );



Background:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The code in question has been introduced on July 1, 1999 and is a
pretty obvious bug.  make_printable_string is supposed to replace
possible dangerous characters from a prompt and returns a malloced
string.  Thus this string may be longer than the orginal one; the
buffer for the prompt has only be allocated at the size of the original
string - oops.  Note, that using snprintf would not have helped in
this case.  How I wish C-90 had introduced asprintf or at least it
would be available on more platforms.

The original bug report is at https://bugs.g10code.com/gnupg/issue728 .



=3D=3D=3D
[1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel .


=2D-=20
Werner Koch                                      <wk@gnupg.org>
The GnuPG Experts                                http://g10code.com
Join the Fellowship and protect your Freedom!    http://www.fsfe.org

--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1rc1 (GNU/Linux)

iEYEARECAAYFAkVrHJ4ACgkQYHhOlAEKV+3OKQCgq2DZx5xez/033RhUOUy/9ElZ
FLAAnAsIc+zYjmjvo5N8rmVtVdejeLKa
=29PW
-----END PGP SIGNATURE-----
--=Leitrim-embassy-CipherTAC-2000-ASO-halcon-enemy-of-the-state-Commece--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC