Hi,
I found a bug in the decryption routine of gpg with the help of afl and asan. It arises from line 1145 through which it is possible to decrement the pktlen variable five times even if it only has the value of 4. Since it is and unsigned long int this leads to undefined behaviour later on in the code. The risk of exploitation is mitigated by the assertion on line 1209. Nevertheless it is still serious enough to warrant fixing. A possible fix would be to increase the minimum length of pktlen to 5 on line 1110.
cheers
jfe
Description
Description
Details
Details
- Version
- 2.3.0-beta227
Revisions and Commits
Revisions and Commits
rG GnuPG | |||
rG8305739fe857 gpg: Fix packet length checking in symkeyenc parser. |
Event Timeline
Comment Actions
Thanks for testing. I recall that I wanted to update the checking but a phonecall disturbed my hacking sequence; should have used DND.