Hi! Taylor asked me to forward this background info:
On Sat, 5 Oct 2013 10:56, w...@gnupg.org said: > not yet been seen in the wild. Details of the attack will eventually > be published by its inventor. The zlib compression language that OpenPGP uses is powerful enough to express an OpenPGP compression quine -- that is, an OpenPGP compressed data packet that decompresses to itself -- causing infinite nesting of OpenPGP packets. Source code to generate such a quine is at <http://mumble.net/~campbell/misc/pgp-quine/>. When fed the quine, older versions of GnuPG would blow the stack and crash. GnuPG 1.4.15 and GnuPG 2.0.22 avoid this by setting a small constant bound on the depth of packet nesting. (This is similar to Tavis Ormandy's IPcomp compression quine, reported in CVE-2011-1547, which I didn't know about at the time I made the OpenPGP compression quine. Both of us had read Russ Cox's article on zlib compression quines: <http://research.swtch.com/zip>.) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users