oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Many vulnerabilities in GnuPG

From: Sam James <sam () gentoo org>
Date: Sun, 28 Dec 2025 10:00:08 +0000
Demi Marie Obenour <demiobenour () gmail com> writes:


https://gpg.fail lists many vulnerabilities in GnuPG, one of which
allows remote code execution.



All are zero-days to the best of my knowledge.


In 2.5.14:

commit 115d138ba599328005c5321c0ef9f00355838ca9
Author:     Werner Koch <wk () gnupg org>
AuthorDate: Thu Oct 23 11:36:04 2025 +0200
Commit:     Werner Koch <wk () gnupg org>
CommitDate: Thu Oct 23 11:37:59 2025 +0200

    gpg: Fix possible memory corruption in the armor parser.

    * g10/armor.c (armor_filter): Fix faulty double increment.

    * common/iobuf.c (underflow_target): Assert that the filter
    implementations behave well.
    --

    This fixes a bug in a code path which can only be reached with special
    crafted input data and would then error out at an upper layer due to
    corrupt input (every second byte in the buffer is unitialized
    garbage).  No fuzzing has yet hit this case and we don't have a test
    case for this code path.  However memory corruption can never be
    tolerated as it always has the protential for remode code execution.

    Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
    Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
    which fixed
    Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f

In 2.5.13:

commit 8abc320f2a75d6c7339323a3cff8a8489199f49f
Author:     Werner Koch <wk () gnupg org>
AuthorDate: Wed Oct 22 12:39:15 2025 +0200
Commit:     Werner Koch <wk () gnupg org>
CommitDate: Wed Oct 22 12:39:15 2025 +0200

    gpg: Error out on unverified output for non-detached signatures.

    * g10/mainproc.c (do_proc_packets): Never reset the any.data flag.
    --

    Fixes-commit: 3b1b6f9d98b38480ba2074158fa640b881cdb97e
    Updates-commit: 69384568f66a48eff3968bb1714aa13925580e9f
    Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a


commit 8abc320f2a75d6c7339323a3cff8a8489199f49f
Author:     Werner Koch <wk () gnupg org>
AuthorDate: Wed Oct 22 12:39:15 2025 +0200
Commit:     Werner Koch <wk () gnupg org>
CommitDate: Wed Oct 22 12:39:15 2025 +0200

    gpg: Error out on unverified output for non-detached signatures.

    * g10/mainproc.c (do_proc_packets): Never reset the any.data flag.

commit db9705ef594d5a2baf0e95e13cf6170b621dfc51
Author:     Werner Koch <wk () gnupg org>
AuthorDate: Wed Oct 22 11:19:55 2025 +0200
Commit:     Werner Koch <wk () gnupg org>
CommitDate: Wed Oct 22 11:20:10 2025 +0200

    gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures.

But it isn't clear to me what...
* the mapping between all of the vulnerabilities listed on the website is vs GnuPG commits (unfortunately
  no CVE identifiers yet either);
* GnuPG bug tracker links map to commits or vulnerabilities;
* whether these fixes are complete for a specific vulnerability or not.

The relevant public bugs I'm aware of for GnuPG are:
* https://dev.gnupg.org/T7909
* https://dev.gnupg.org/T7900
* https://dev.gnupg.org/T7902
* https://dev.gnupg.org/T7903
but some linked therein are still marked private.

Finally, to end the dump of what I know so far: Werner Koch has
published a response to the cleartext signature vulnerabilities:
https://gnupg.org/blog/20251226-cleartext-signatures.html.

sam

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: