Hi!
Here comes a signed patch against 2.0.1 for those who care to verify
signatures ;-).
Shalom-Salam,
Werner
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message
This is a patch against GnuPG 2.0.1. Change the directory to g10/ and
apply this patch.
2006-12-02 Werner Koch [EMAIL PROTECTED]
* encr-data.c: Allocate DFX context on the heap and not on the
stack. Changes at several places. Fixes CVE-2006-6235.
Index: encr-data.c
===
--- encr-data.c (revision 4352)
+++ encr-data.c (working copy)
@@ -39,16 +39,37 @@
static int decode_filter ( void *opaque, int control, IOBUF a,
byte *buf, size_t *ret_len);
-typedef struct
+typedef struct decode_filter_context_s
{
gcry_cipher_hd_t cipher_hd;
gcry_md_hd_t mdc_hash;
char defer[22];
int defer_filled;
int eof_seen;
-} decode_filter_ctx_t;
+ int refcount;
+} *decode_filter_ctx_t;
+/* Helper to release the decode context. */
+static void
+release_dfx_context (decode_filter_ctx_t dfx)
+{
+ if (!dfx)
+return;
+
+ assert (dfx-refcount);
+ if ( !--dfx-refcount )
+{
+ gcry_cipher_close (dfx-cipher_hd);
+ dfx-cipher_hd = NULL;
+ gcry_md_close (dfx-mdc_hash);
+ dfx-mdc_hash = NULL;
+ xfree (dfx);
+}
+}
+
+
+
/
* Decrypt the data, specified by ED with the key DEK.
*/
@@ -62,7 +83,11 @@
unsigned blocksize;
unsigned nprefix;
- memset( dfx, 0, sizeof dfx );
+ dfx = xtrycalloc (1, sizeof *dfx);
+ if (!dfx)
+return gpg_error_from_syserror ();
+ dfx-refcount = 1;
+
if ( opt.verbose !dek-algo_info_printed )
{
const char *s = gcry_cipher_algo_name (dek-algo);
@@ -77,20 +102,20 @@
goto leave;
blocksize = gcry_cipher_get_algo_blklen (dek-algo);
if ( !blocksize || blocksize 16 )
-log_fatal(unsupported blocksize %u\n, blocksize );
+log_fatal (unsupported blocksize %u\n, blocksize );
nprefix = blocksize;
if ( ed-len ed-len (nprefix+2) )
BUG();
if ( ed-mdc_method )
{
- if (gcry_md_open (dfx.mdc_hash, ed-mdc_method, 0 ))
+ if (gcry_md_open (dfx-mdc_hash, ed-mdc_method, 0 ))
BUG ();
if ( DBG_HASHING )
-gcry_md_start_debug (dfx.mdc_hash, checkmdc);
+gcry_md_start_debug (dfx-mdc_hash, checkmdc);
}
- rc = gcry_cipher_open (dfx.cipher_hd, dek-algo,
+ rc = gcry_cipher_open (dfx-cipher_hd, dek-algo,
GCRY_CIPHER_MODE_CFB,
(GCRY_CIPHER_SECURE
| ((ed-mdc_method || dek-algo = 100)?
@@ -104,7 +129,7 @@
/* log_hexdump( thekey, dek-key, dek-keylen );*/
- rc = gcry_cipher_setkey (dfx.cipher_hd, dek-key, dek-keylen);
+ rc = gcry_cipher_setkey (dfx-cipher_hd, dek-key, dek-keylen);
if ( gpg_err_code (rc) == GPG_ERR_WEAK_KEY )
{
log_info(_(WARNING: message was encrypted with
@@ -123,7 +148,7 @@
goto leave;
}
- gcry_cipher_setiv (dfx.cipher_hd, NULL, 0);
+ gcry_cipher_setiv (dfx-cipher_hd, NULL, 0);
if ( ed-len )
{
@@ -144,8 +169,8 @@
temp[i] = c;
}
- gcry_cipher_decrypt (dfx.cipher_hd, temp, nprefix+2, NULL, 0);
- gcry_cipher_sync (dfx.cipher_hd);
+ gcry_cipher_decrypt (dfx-cipher_hd, temp, nprefix+2, NULL, 0);
+ gcry_cipher_sync (dfx-cipher_hd);
p = temp;
/* log_hexdump( prefix, temp, nprefix+2 ); */
if (dek-symmetric
@@ -155,17 +180,18 @@
goto leave;
}
- if ( dfx.mdc_hash )
-gcry_md_write (dfx.mdc_hash, temp, nprefix+2);
-
+ if ( dfx-mdc_hash )
+gcry_md_write (dfx-mdc_hash, temp, nprefix+2);
+
+ dfx-refcount++;
if ( ed-mdc_method )
-iobuf_push_filter( ed-buf, mdc_decode_filter, dfx );
+iobuf_push_filter ( ed-buf, mdc_decode_filter, dfx );
else
-iobuf_push_filter( ed-buf, decode_filter, dfx );
+iobuf_push_filter ( ed-buf, decode_filter, dfx );
proc_packets ( procctx, ed-buf );
ed-buf = NULL;
- if ( ed-mdc_method dfx.eof_seen == 2 )
+ if ( ed-mdc_method dfx-eof_seen == 2 )
rc = gpg_error (GPG_ERR_INV_PACKET);
else if ( ed-mdc_method )
{
@@ -184,26 +210,28 @@
bytes are appended. */
int datalen = gcry_md_get_algo_dlen (ed-mdc_method);
- gcry_cipher_decrypt (dfx.cipher_hd, dfx.defer, 22, NULL, 0);
- gcry_md_write (dfx.mdc_hash, dfx.defer, 2);
- gcry_md_final (dfx.mdc_hash);
+ assert (dfx-cipher_hd);
+ assert (dfx-mdc_hash);
+ gcry_cipher_decrypt (dfx-cipher_hd, dfx-defer, 22, NULL, 0);
+ gcry_md_write (dfx-mdc_hash, dfx-defer, 2);
+ gcry_md_final (dfx-mdc_hash);
- if (dfx.defer[0] != '\xd3' || dfx.defer[1] != '\x14' )
+ if (dfx-defer[0] != '\xd3' || dfx-defer[1] != '\x14' )
{
log_error(mdc_packet with invalid encoding\n);
rc = gpg_error (GPG_ERR_INV_PACKET