Package: gnupg Version: 1.4.9-3 Severity: normal Here's the sequence of events:
% echo '1234' | gpg --sign > foo <I enter my passphrase> % ls -l foo -rw-r--r-- 1 wisq wisq 98 2008-10-28 15:19 foo % dd if=foo of=bar bs=1 count=97 97+0 records in 97+0 records out 97 bytes (97 B) copied, 0.000480021 s, 202 kB/s % gpg --verify bar <hangs> Note that this only hangs sometimes. Other times, it correctly detects the error: % gpg --verify bar gpg: fatal: zlib inflate problem: invalid distance code secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 When it hangs, the output of --debug-all shows gpg: DBG: enter inflate: avail_in=1, avail_out=8071 gpg: DBG: leave inflate: avail_in=0, avail_out=8070, zrc=0 gpg: DBG: iobuf-1.0: underflow: eof (no filter) gpg: DBG: enter inflate: avail_in=1, avail_out=8070 gpg: DBG: leave inflate: avail_in=0, avail_out=8069, zrc=0 gpg: DBG: iobuf-1.0: underflow: eof (no filter) gpg: DBG: enter inflate: avail_in=1, avail_out=8069 gpg: DBG: leave inflate: avail_in=0, avail_out=8068, zrc=0 gpg: DBG: iobuf-1.0: underflow: eof (no filter) etc., looping forever. The main problem is that this renders GnuPG much less useful for unattended operation on arbitrary binary data supplied by untrusted peers -- e.g. for a service that verifies incoming data and takes action on the data if it trusts the signature, like the one I'm designing (to handle dynamic DNS updates). For such a service, this would constitute a local denial-of-service if the process limits its GnuPG workers, or a system-wide denial-of- service if it doesn't. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gnupg depends on: ii gpgv 1.4.9-3 GNU privacy guard - signature veri ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co ii libc6 2.7-14 GNU C Library: Shared libraries ii libreadline5 5.2-3 GNU readline and history libraries ii libusb-0.1-4 2:0.1.12-12 userspace USB programming library ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages gnupg recommends: ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries Versions of packages gnupg suggests: pn gnupg-doc <none> (no description available) ii imagemagick 7:6.3.7.9.dfsg1-2+b2 image manipulation programs pn libpcsclite1 <none> (no description available) ii xloadimage 4.1-16 Graphics file viewer under X11 -- no debconf information
signature.asc
Description: Digital signature