Page MenuHome GnuPG
Create Task
Maniphest T5697

Kleopatra: Crashes or hangs on circular certificate chains
Closed, ResolvedPublic
Actions

Description

There are several problems caused by circular certificate chains:

  1. Kleopatra crashes on startup if there are X.509 certificates with a circular certificate chain in the key store.
  2. Kleopatra hangs when trying to view the trust chain details of a certificate that's part of a circular chain.

See rGc9343bec83e2: sm: Detect circular chains in --list-chain. for test certificates with circular certificate chain.

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEOacf819889fdb Remove unused overloads of findIssuers()
rLIBKLEO3edd6ea09957 Move definition of doClear() out of class definition
rLIBKLEOf2e83a76a626 Add helper to check if container contains element matching a predicate
rLIBKLEO741d8a53297c Prevent infinite loop when building issuer chain
rLIBKLEO617c64a859f3 Clear the list of certificates with masked issuer when keys are cleared
rLIBKLEO91ecfb859e80 Use a single return instead of multiple returns
rLIBKLEO51f2bd618677 Prevent cycles in graph of certificate issuers
rLIBKLEObdffed6eb0d7 Add possibility to mask the issuer of keys

Related Objects

Event Timeline

ikloecker claimed this task.Nov 18 2021, 2:35 PM
ikloecker triaged this task as High priority.
ikloecker created this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

Rating as High because this can be used for a DoS attack on individual users.

ikloecker added a commit: rLIBKLEO91ecfb859e80: Use a single return instead of multiple returns.Nov 18 2021, 3:57 PM
ikloecker added a commit: rLIBKLEObdffed6eb0d7: Add possibility to mask the issuer of keys.
ikloecker added a commit: rLIBKLEO51f2bd618677: Prevent cycles in graph of certificate issuers.
ikloecker renamed this task from Kleopatra: Crash on circular certificate chains to Kleopatra: Crashes or hangs on circular certificate chains.Nov 18 2021, 3:59 PM
ikloecker updated the task description. (Show Details)

First issue is fixed.

ikloecker added a commit: rLIBKLEOf2e83a76a626: Add helper to check if container contains element matching a predicate.Nov 22 2021, 9:56 AM
ikloecker added a commit: rLIBKLEO617c64a859f3: Clear the list of certificates with masked issuer when keys are cleared.
ikloecker added a commit: rLIBKLEO741d8a53297c: Prevent infinite loop when building issuer chain.
ikloecker added a commit: rLIBKLEO3edd6ea09957: Move definition of doClear() out of class definition.
ikloecker added a commit: rLIBKLEOacf819889fdb: Remove unused overloads of findIssuers().Nov 22 2021, 10:25 AM
ikloecker added a comment.Nov 22 2021, 10:50 AM

Second issue is also fixed.

I didn't spot any other usages of Key::chainID() in libkleo (or kleopatra) that could cause problems. The usage in KeyListView looks safe.

ikloecker changed the task status from Open to Testing.Nov 22 2021, 10:51 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker removed ikloecker as the assignee of this task.Dec 6 2021, 4:22 PM
ebo closed this task as Resolved.Jul 19 2023, 4:36 PM
ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo added a subscriber: ebo.

works, tested with the provided example certs

ebo mentioned this in T6602: Kleopatra: Crashes on deleting circular certificate chains.Jul 20 2023, 9:20 AM
ikloecker mentioned this in T6807: Kleo shows 3 certs in a chain while there are only two.Dec 4 2023, 5:05 PM