Debian Bug report logs - #381204
GnuPG security hole in memory allocation

version graph

Package: gnupg; Maintainer for gnupg is Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>; Source for gnupg is src:gnupg.

Reported by: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>

Date: Wed, 2 Aug 2006 20:33:16 UTC

Severity: grave

Tags: security

Found in version gnupg/1.4.3-2

Fixed in version 1.4.5-1

Done: James Troup <james@nocrew.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#381204; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>
To: submit@bugs.debian.org
Subject: GnuPG security hole in memory allocation
Date: Wed, 2 Aug 2006 19:37:08 +0000
[Message part 1 (text/plain, inline)]
Package: gnupg
Version: 1.4.3-2
Severity: grave
Tags: security

GnuPG 1.4.5 corrects some potential security problems in memory
allocation.  From
http://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html :

    * Fixed 2 more possible memory allocation attacks.  They are
      similar to the problem we fixed with 1.4.4.  This bug can easily
      be be exploted for a DoS; remote code execution is not entirely
      impossible.

I am inclined to say that this is grave, but since gnupg tends to do
memory allocation before it drops privileges, you might find that this
is critical instead.  If you drop the SUID privileges, then it certainly
does not exceed grave.

I do not have a CVE number for this.

-- 
($_,$a)=split/\t/,join'',map{unpack'u',$_}<DATA>;eval$a;print;__DATA__
M961H<F$@8FAM;"!U<F%O<G-U(#QU<F%O<G-U0&=D:75M<&UC8VUL=G)U;6LN
M<FUL+F=Y/@H)>2QA8F-D969G:&EJ:VQM;F]P<7)S='5V=WAY>BQN=V]R8FMC
5:75Q96AT9V1Y>F%L=G-P;6IX9BP)
[Message part 2 (application/pgp-signature, inline)]

Reply sent to James Troup <james@nocrew.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 381204-done@bugs.debian.org (full text, mbox):

From: James Troup <james@nocrew.org>
To: 381204-done@bugs.debian.org
Subject: Re: Bug#381204: GnuPG security hole in memory allocation
Date: Wed, 02 Aug 2006 22:05:18 +0100
Version: 1.4.5-1

"Brian M. Carlson" <sandals@crustytoothpaste.ath.cx> writes:

> Package: gnupg
> Version: 1.4.3-2
> Severity: grave
> Tags: security
>
> GnuPG 1.4.5 corrects some potential security problems in memory
> allocation.

http://lists.debian.org/debian-devel-changes/2006/08/msg00072.html

-- 
James



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#381204; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #15 received at 381204@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: 381204@bugs.debian.org, security@debian.org
Subject: Re: Bug#381204: GnuPG security hole in memory allocation
Date: Thu, 3 Aug 2006 08:03:38 +0200
[Message part 1 (text/plain, inline)]
Hi,

I extracted a minimal patch from 1.4.5 for the Sarge security update.
This has been assigned CVE-2006-3746.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[gnupg.CVE-2006-3746.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#381204; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Werner Koch <wk@gnupg.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #20 received at submit@bugs.debian.org (full text, mbox):

From: Werner Koch <wk@gnupg.org>
To: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 381204@bugs.debian.org, submit@bugs.debian.org
Subject: Re: Bug#381204: GnuPG security hole in memory allocation
Date: Fri, 04 Aug 2006 20:05:44 +0200
On Wed,  2 Aug 2006 21:37, Brian M. Carlson said:

> I am inclined to say that this is grave, but since gnupg tends to do
> memory allocation before it drops privileges, you might find that this

The allocation problem, which is overflow like
malloc(numbercontrolledbyuser+20), can only happen after privs are
dropped.  It is in the parser of the actual OpenPGP data.  So there is
no privilege escalation just a "normal" remote code execution
possible.

BTW, In general I don't think it is worth to install gpg suid(root);
there are too may other bugs in the entire OS which will make it
easier to get the password than through a swap file.


Salam-Shalom,

   Werner





Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#381204; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Werner Koch <wk@gnupg.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 10:22:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:36:41 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.