Home page logo

fulldisclosure logo Full Disclosure mailing list archives

gnupg diff available
From: Felix von Leitner <felix-fulldisclosure () fefe de>
Date: Mon, 15 Jan 2007 14:59:34 +0100


I did a gnupg audit recently.  I was, frankly, appalled by the code
quality.  It is a desert of pointer manipulation, string copying, memcpy
and strcpy are used all over the place, and sprintf, too.

You can find my diff at


Please note that

  a) I might have missed something
  b) I don't claim all fixed parts were exploitable.  My attention span
     is quite short.  If I couldn't figure out where data is coming from
     in 30 seconds, I assumed it was user settable and put a fix in.
  c) I focused on write accesses.  I probably missed a few out of bounds
     read accesses.  Crashing seems to be an acceptable error handling
     mechanism in gnupg (there are already lots of assert() and BUG()
     calls) so I also used assert() in most cases.

People are always saying how free and open source software is more
secure because so many eyes look at it... well, I didn't see much
evidence of that in gnupg.  Please do use some of your time to actually
look at source code and find bugs.

I tried to give Werner Koch (the author) advance warning, but he was
neither helpful nor did he appear interested.  So please don't make
0-days out of this.

Thank you,


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]