Page MenuHome GnuPG

crash importing truncated subkeys
Closed, ResolvedPublic


From Tavis Ormandy on gnupg-devel:

Hello, I noticed that if there are two opaque identical public subkey
packets, but one is truncated, gpg crashes on import in gcry_mpi_cmp()

I just did this to repro:

$ gpgcompose --public-key taviso --public-subkey taviso \

--user-id anything --public-subkey taviso           \
| perl -p -e 's/(\xb9..\x04....)\x01/\1\xff/g'      \
| head -c -1 | gpg --import

gpg: premature eof while reading rest of packet
gpg: signal Segmentation fault caught ... exiting
Segmentation fault

That ugly horrible regex is:

\xb9 : Find old-style public-subkey with 2 byte length
.. : skip over the length bytes
\x04 : looking for version 4
.... : skip over the timestamp
\x01 : change the algorithm so it's not recognized by gcry_mpi_cmp.

Then piping it into head to truncate the last packet.

I think it should work on any RSA public key, e.g. just replace
the --public-subkey taviso with the id, 4B092E28 works.