Page MenuHome GnuPG
Create Task
Maniphest T3780

Integer overflow causes heap overflow in parse_symkeyenc() in file g10/parse-packet.c
Closed, ResolvedPublic
Actions

Description

Hi,
I found a bug in the decryption routine of gpg with the help of afl and asan. It arises from line 1145 through which it is possible to decrement the pktlen variable five times even if it only has the value of 4. Since it is and unsigned long int this leads to undefined behaviour later on in the code. The risk of exploitation is mitigated by the assertion on line 1209. Nevertheless it is still serious enough to warrant fixing. A possible fix would be to increase the minimum length of pktlen to 5 on line 1110.
cheers
jfe

Details

Version
2.3.0-beta227

Revisions and Commits

rG GnuPG
rG8305739fe857 gpg: Fix packet length checking in symkeyenc parser.

Event Timeline

jfe created this task.Feb 6 2018, 1:09 PM
jfe updated the task description. (Show Details)Feb 6 2018, 1:12 PM
werner closed this task as Resolved.Feb 6 2018, 5:47 PM
werner claimed this task.
werner added a subscriber: werner.

Thanks for testing. I recall that I wanted to update the checking but a phonecall disturbed my hacking sequence; should have used DND.

werner added a commit: rG8305739fe857: gpg: Fix packet length checking in symkeyenc parser..Feb 6 2018, 6:01 PM
jfe added a comment.Feb 6 2018, 6:25 PM

Great, thanks for the quick response!