Page MenuHome GnuPG
Create Task
Maniphest T1829

Excessive memory use on --import of crafted file
Closed, ResolvedPublic
Actions

Description

While fuzzing I found that the following file would attempt to use 4GB of RAM
and abort.

$ ./g10/gpg2 --import ~/Dropbox/gnupg/04c4b9c1
Fatal error: Cannot allocate memory
Aborted

I am testing with 2.0.22 , this does not occur in 1.4.16-1ubuntu2.1 packaged in
Ubuntu 14.04

System Details:
AMD64
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

Found with the fuzzer American Fuzzy Lop by lcamtuf.

Details

Version
2.0.22

Related Objects

Event Timeline

JodieC set Version to 2.0.22.Feb 6 2015, 3:19 AM
JodieC added projects: gnupg, Bug Report.
JodieC added a subscriber: JodieC.

545_04c4b9c126 BDownload

werner added a subscriber: werner.Feb 11 2015, 11:58 AM

master (2.1) already has limits for such cases and would thus return better
error message. Those will be backported to 1.4 and 2.0. However, for 2.1 your
test case does not work because PGP-2 formats are not anymore supported in 2.1.

werner added a project: In Progress.Feb 11 2015, 11:58 AM
werner added projects: gnupg (gpg14), gnupg (gpg20).Jun 30 2015, 11:08 AM
werner removed a project: gnupg (gpg20).Sep 8 2015, 2:55 PM
werner added a project: backport.

2.0.29-beta has a fix for this. See also T1823.

neal added a subscriber: neal.Nov 18 2015, 1:54 PM

Based on Werner's comment, this issue has been addressed. As such, I'm closing
this bug report.

neal closed this task as Resolved.Nov 18 2015, 1:54 PM
neal claimed this task.
neal removed a project: In Progress.