Re: Many vulnerabilities in GnuPG

[Demi Marie Obenour <demiobenour () gmail com>]

On 12/29/25 04:51, Werner Koch wrote:
> > Item 5: Memory Corruption in ASCII-Armor Parsing
> >
> > This is a serious memory-safety error in GPG.
>
> Yes, and actually the only serious bug from their list.  This one
> (T7906) was fixed in the repo on November 4 (T7906) and released with
> 2.5.14 on 2025-11-19:
>
>   * gpg: Fix possible memory corruption in the armor parser.  [T7906]
>
> and in the ExtendedLTS version 2.2.51 already on: 2025-10-28:
>
>   * gpg: Fix possible memory corruption in the armor parser.
>     [rG1e929abd20]
>
> Another release of 2.4 is still pending but given that its end-of-life is
> in 6 months, it would anyway better to switch to 2.5.
> > Whether this bug is really exploitable is still questionable but of
> course we decided to fix that.  Thus the claim by Demi Marie "one of
> which allows remote code execution.  [All are zero-days to the best of
> my knowledge.]" is over the top.  Even the report marks this bug as a
> "may":
>
>    Impact
>    While this may allow remote code execution (RCE), it definitively
>    causes memory corruption.
>
> Good research.

I wasn't aware of the fix commits.  The fixed bugs are indeed
not zero-day vulnerabilities from an upstream perspective.
They are, however, zero-day vulnerabilities for many distro users.
In particular, Fedora 42, 43, and Rawhide do not have the fixes.

While upstream did use the word "may", it also states:

> From here it is a challenge in memory corruption exploitation
> with a very large space of reachable primitives.

I concluded from this that exploitation is just a matter of effort.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature