If I create a file containing just the single byte with hex value 'af' in it,
gpg segfaults on it (see attached file). i.e.
hjmw2@mong:~$ gpg fil
gpg: fil: unknown suffix
- glibc detected * free(): invalid next size (fast): 0x08127d18 *
Aborted
Description
Description
Details
Details
- Version
- 1.4.5
Event Timeline
Comment Actions
- openfile.c (revision 4348)
+++ openfile.c (working copy)
@@ -144,8 +144,8 @@
s = _("Enter new filename");- n = strlen(s) + namelen + 10; defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+ n = strlen(s) + (defname?strlen (defname):0) + 10;
prompt = xmalloc(n); if( defname ) sprintf(prompt, "%s [%s]: ", s, defname );
Comment Actions
Fixed in SVN. See the previous message for a patch which is suitable for gnupg
1.4 as well as for 2.0.
It is actually a buffer overflow caused by make_printable_string possibly
returning a string longer than NAMELEN (which comes directly from the OpenPGP
package and is 255 in the reported case). Very stupid bug.
Fortunately, it is not very easy to exploit because it will occur only in
interactive mode and any exploit code must be written in a way that
make_printable_string inserts extra characters (C-escape sequences) into the
exploit code to introduce the overflow.