Page MenuHome GnuPG
Create Task
Maniphest T6024

gpg-agent segfaults if it receives an invalid response to a KEYPARAM inquire
Closed, ResolvedPublic
Actions

Description

If, in response to a KEYPARAM inquire, the client closes the connection or sends an invalid response (such as ?), the server crashes. The following bash command reproduces the problem on Fedora 35 with GnuPG 2.3.4:

echo KEYPARAM | gpg-agent --server

Details

Version
2.3.4

Event Timeline

DemiMarie created this task.Jun 10 2022, 4:14 AM
DemiMarie created this object in space S1 Public.
werner added a subscriber: werner.Jun 10 2022, 10:14 AM

Please provide a more verbose report.

DemiMarie renamed this task from gpg-agent segfaults if it receives an invalid response to a KEYPARAMS inquire to gpg-agent segfaults if it receives an invalid response to a KEYPARAM inquire.Jun 10 2022, 10:21 AM
DemiMarie updated the task description. (Show Details)
werner added a comment.Jun 10 2022, 11:50 PM

No crash here

$ echo KEYPARAM | valgrind gpg-agent --server
==30044== Memcheck, a memory error detector
==30044== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==30044== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==30044== Command: gpg-agent --server
==30044== 
gpg-agent[30044]: enabled debug flags: ipc
can't connect to 'socket:///run/user/1000/gnupg/S.log': Connection refused
OK Pleased to meet you
ERR 67109139 Unknown IPC command <GPG Agent>
==30044== 
==30044== HEAP SUMMARY:
==30044==     in use at exit: 54,997 bytes in 57 blocks
==30044==   total heap usage: 216 allocs, 159 frees, 163,120 bytes allocated
==30044== 
==30044== LEAK SUMMARY:
==30044==    definitely lost: 84 bytes in 6 blocks
==30044==    indirectly lost: 0 bytes in 0 blocks
==30044==      possibly lost: 0 bytes in 0 blocks
==30044==    still reachable: 54,913 bytes in 51 blocks
==30044==         suppressed: 0 bytes in 0 blocks
==30044== Rerun with --leak-check=full to see details of leaked memory
==30044== 
==30044== For counts of detected and suppressed errors, rerun with: -v
==30044== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
ikloecker added a subscriber: ikloecker.Jun 13 2022, 9:05 AM

The original description of the problem seems to be wrong. gpg-agent does not have a KEYPARAM command. If I understand correctly then gpg-agent sends a KEYPARAM inquiry to the client, but you are sending KEYPARAM to the server.

By the way:

$ docker run -it --rm fedora:35
Unable to find image 'fedora:35' locally
35: Pulling from library/fedora
054e3e802ba7: Pull complete 
Digest: sha256:f1e3a29da8990568c1da6a460cf9658ee7e9b409aa39c2aded67f7ac1dfe7e8a
Status: Downloaded newer image for fedora:35

[root@19a908ecae5c /]# gpg --version
gpg (GnuPG) 2.3.4
libgcrypt 1.9.4-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

[root@19a908ecae5c /]# echo KEYPARAM | gpg-agent --server
gpg-agent[19]: directory '/root/.gnupg' created
gpg-agent[19]: directory '/root/.gnupg/private-keys-v1.d' created
OK Pleased to meet you
ERR 67109139 Unknown IPC command <GPG Agent>

-> no crash

werner closed this task as Resolved.Jun 14 2022, 8:05 AM
werner claimed this task.
werner added a project: can't replicate.