Date: Friday, November 28, 2014 @ 20:53:51 Author: bisson Revision: 227171
fix FS#42943 Added: gnupg/trunk/oid2str-overflow.patch gnupg/trunk/subpacket-off.patch Modified: gnupg/trunk/PKGBUILD ------------------------+ PKGBUILD | 8 ++++- oid2str-overflow.patch | 72 +++++++++++++++++++++++++++++++++++++++++++++++ subpacket-off.patch | 38 ++++++++++++++++++++++++ 3 files changed, 117 insertions(+), 1 deletion(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-11-28 19:39:28 UTC (rev 227170) +++ PKGBUILD 2014-11-28 19:53:51 UTC (rev 227171) @@ -6,7 +6,7 @@ pkgname=gnupg pkgver=2.1.0 -pkgrel=5 +pkgrel=6 pkgdesc='Complete and free implementation of the OpenPGP standard' url='http://www.gnupg.org/' license=('GPL') @@ -17,9 +17,13 @@ depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan' 'pinentry' 'bzip2' 'readline') source=("ftp://ftp.gnupg.org/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig} + 'oid2str-overflow.patch' + 'subpacket-off.patch' 'refresh-keys.patch' 'hash-ecdsa.patch') sha1sums=('2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33' 'SKIP' + '774f7fe541428f45ee145c763cf5634264e3bc69' + '1a86b834904c7d18d932ad1bb44d3642990d3cbd' '246bea8776882f4c0293685482558f6ead1cf902' 'b9bd644276aa1c1a3fcaed82e65eecccfd1f36ed') @@ -31,6 +35,8 @@ prepare() { cd "${srcdir}/${pkgname}-${pkgver}" + patch -p1 -i ../oid2str-overflow.patch + patch -p1 -i ../subpacket-off.patch patch -p1 -i ../refresh-keys.patch patch -p1 -i ../hash-ecdsa.patch } Added: oid2str-overflow.patch =================================================================== --- oid2str-overflow.patch (rev 0) +++ oid2str-overflow.patch 2014-11-28 19:53:51 UTC (rev 227171) @@ -0,0 +1,72 @@ +From: Werner Koch <w...@gnupg.org> +Date: Tue, 25 Nov 2014 10:58:56 +0000 (+0100) +Subject: Fix buffer overflow in openpgp_oid_to_str. +X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da;hp=28dafd4714a9b01d3a6f1e6e5919bf6f909987c7 + +Fix buffer overflow in openpgp_oid_to_str. + +* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow. + +* common/t-openpgp-oid.c (BADOID): New. +(test_openpgp_oid_to_str): Add test cases. +-- + +The code has an obvious error by not considering invalid encoding for +arc-2. A first byte of 0x80 can be used to make a value of less then +80 and we then subtract 80 from that value as required by the OID +encoding rules. Due to the unsigned integer this results in a pretty +long value which won't fit anymore into the allocated buffer. + +The fix is obvious. Also added a few simple test cases. Note that we +keep on using sprintf instead of snprintf because managing the +remaining length of the buffer would probably be more error prone than +assuring that the buffer is large enough. Getting rid of sprintf +altogether by using direct conversion along with membuf_t like code +might be possible. + +Reported-by: Hanno Böck +Signed-off-by: Werner Koch <w...@gnupg.org> + +Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7 +--- + +diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c +index 010c23f..d3d1f2a 100644 +--- a/common/openpgp-oid.c ++++ b/common/openpgp-oid.c +@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a) + val <<= 7; + val |= buf[n] & 0x7f; + } ++ if (val < 80) ++ goto badoid; + val -= 80; + sprintf (p, "2.%lu", val); + p += strlen (p); +diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c +index 79e5a70..5cd778d 100644 +--- a/common/t-openpgp-oid.c ++++ b/common/t-openpgp-oid.c +@@ -32,6 +32,9 @@ + } while(0) + + ++#define BADOID "1.3.6.1.4.1.11591.2.12242973" ++ ++ + static void + test_openpgp_oid_from_str (void) + { +@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void) + { "1.3.132.0.35", + { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }}, + ++ { BADOID, ++ { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }}, ++ ++ { BADOID, ++ { 1, 0x80 }}, ++ + { NULL }}; + gcry_mpi_t a; + int idx; Added: subpacket-off.patch =================================================================== --- subpacket-off.patch (rev 0) +++ subpacket-off.patch 2014-11-28 19:53:51 UTC (rev 227171) @@ -0,0 +1,38 @@ +From: Werner Koch <w...@gnupg.org> +Date: Mon, 24 Nov 2014 16:28:25 +0000 (+0100) +Subject: gpg: Fix off-by-one read in the attribute subpacket parser. +X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=0988764397f99db4efef1eabcdb8072d6159af76;hp=b716e6a69919b89c7887d6c7c9b97e58d18fdf95 + +gpg: Fix off-by-one read in the attribute subpacket parser. + +* g10/parse-packet.c (parse_attribute_subpkts): Check that the +attribute packet is large enough for the subpacket type. +-- + +Reported-by: Hanno Böck +Signed-off-by: Werner Koch <w...@gnupg.org> +--- + +diff --git a/g10/parse-packet.c b/g10/parse-packet.c +index e0370aa..f75e21c 100644 +--- a/g10/parse-packet.c ++++ b/g10/parse-packet.c +@@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid) + if (buflen < n) + goto too_short; + +- attribs = +- xrealloc (attribs, (count + 1) * sizeof (struct user_attribute)); ++ if (!n) ++ { ++ /* Too short to encode the subpacket type. */ ++ if (opt.verbose) ++ log_info ("attribute subpacket too short\n"); ++ break; ++ } ++ ++ attribs = xrealloc (attribs, ++ (count + 1) * sizeof (struct user_attribute)); + memset (&attribs[count], 0, sizeof (struct user_attribute)); + + type = *buffer;