Page MenuHome GnuPG

gpg segfaults on 'af' byte
Closed, ResolvedPublic

Description

If I create a file containing just the single byte with hex value 'af' in it,
gpg segfaults on it (see attached file). i.e.

hjmw2@mong:~$ gpg fil
gpg: fil: unknown suffix

  • glibc detected * free(): invalid next size (fast): 0x08127d18 *

Aborted

Details

Version
1.4.5

Event Timeline

werner added a project: In Progress.
werner added a subscriber: werner.
  • openfile.c (revision 4348)

+++ openfile.c (working copy)
@@ -144,8 +144,8 @@

s = _("Enter new filename");
  • n = strlen(s) + namelen + 10; defname = name && namelen? make_printable_string( name, namelen, 0): NULL;

+ n = strlen(s) + (defname?strlen (defname):0) + 10;

prompt = xmalloc(n);
if( defname )
   sprintf(prompt, "%s [%s]: ", s, defname );

Fixed in SVN. See the previous message for a patch which is suitable for gnupg
1.4 as well as for 2.0.

It is actually a buffer overflow caused by make_printable_string possibly
returning a string longer than NAMELEN (which comes directly from the OpenPGP
package and is 255 in the reported case). Very stupid bug.

Fortunately, it is not very easy to exploit because it will occur only in
interactive mode and any exploit code must be written in a way that
make_printable_string inserts extra characters (C-escape sequences) into the
exploit code to introduce the overflow.

This bug has the vulnerability id: CVE-2006-6169.
Fixed in 2.0.1.

werner removed a project: Testing.