Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: GnuPG 1.4.12 and lower - memory access errors and keyring database corruption
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 01 Jan 2013 16:24:28 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/01/2013 12:22 AM, Kurt Seifried wrote:
On 12/28/2012 06:06 PM, KB Sriram wrote:
Versions of GnuPG <= 1.4.12 are vulnerable to memory access
violations and public keyring database corruption when importing
public keys that have been manipulated.

An OpenPGP key can be fuzzed in such a way that gpg segfaults (or
has other memory access violations) when importing the key.

The key may also be fuzzed such that gpg reports no errors when 
examining the key (eg: "gpg the_bad_key.pkr") but importing it
causes gpg to corrupt its public keyring database.

The database corruption issue was first reported on Dec 6th,
through the gpg bug tracking system:

https://bugs.g10code.com/gnupg/issue1455

The subsequent memory access violation was discovered and reported
in a private email with the maintainer on Dec 20th.

A zip file with keys that causes segfaults and other errors is 
available at
http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes
a log file that demonstrates the issues [on MacOS X and gpg
1.4.11]

A new version of gpg -- 1.4.13 -- that addressed both these issues,
was independently released by the maintainer on Dec 20th.

The simplest solution is to upgrade all gpg installs to 1.4.13.

[Workarounds: A corrupted database may be recovered by manually 
copying back the pubring.gpg~ backup file. Certain errors may also
be prevented by never directly importing a key, but first just
"looking" at the key (eg: "gpg bad_key.pkr"). However, this is not
guaranteed to work in all cases; though upgrading to 1.4.13 does
work for the issues reported.]

Discovery:

The problem was discovered during a byte-fuzzing test of OpenPGP 
certificates for an unrelated application. Each byte in turn was 
replaced by a random byte, and the modified certificate fed to the 
application to check that it handled errors correctly. Gpg was used
as a control, but it itself turned out to have errors related to
packet parsing. The errors are generally triggered when fuzzing the
length field of OpenPGP packets, which cascades into subsequent
errors in certain situations.

-kb

Has this been assigned a CVE identifier yet?

Spoke with upstream, confirmed things. Please use CVE-2012-6085 for this
issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ43AsAAoJEBYNRVNeJnmTWBkP/2+7T2S3n6KOc0VQjcDlK9Yo
kUauilVJcH9QKZW28JHGzQnNUV/jf8csjtGsWBawVi7ofrlNNbNLRXTBe3OqEaxM
ltLB0049NjMQ4sdf9agur3t7kXFJkRarMQZ+DGnlQAYClZggEsztWhwMCOozMiay
/NuJsUQvlAtzRcRYZEyI0P3R5ecfsu0JHJuf9on/bc4hXgl4A6kl02IGaaZi69hU
faYdeGXRKjDKWp7fsLdWXVO4S43+QV2VKADdkxC5+fef9b1lHH6cHhobsZCb8ZCl
pVx19tF/jid7Lz3QyLeaJNuKsu/H65/xJvnhUTdUr3viqo3cArudNNhkb2Fu+8u8
Y03M1w6jdMpO2ENNjgrlrlgLZ4zCk/A8enK61DJnll7oIhVGbn58K0AVSmfcPJtN
V+JklmvbEwJwxlOw9MxWkJ6nuQrXaFJRB5ruQnuvLneEWHsfPYlJMUpUmtmg3VWe
4gbFn774VplIxLuo3wHDwPdaWT7piMvBZLdHvLvRyfx7yBY9zphFsW4zQvZH2hGa
jMpUj2g8mR2Tw03REXrvgj+GNqMKy516d1YbVm8Y8//TCHMYt8EWeXHJ4COS/9WO
rKxEBi8kpL/rc5VFOD+76S3Skp2jgYAql9BTbBp4DoJd7jtT8boRYjJFWWzpiwxi
isKwpf/bS3MC+ZxHKTNe
=zCWo
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault