- Integer Truncation of Input Arguments
- string_to_cipher_algo (for example) uses strtol which returns long but val is an integer
- opengpg_oid_from_str is another case
- string_to_cipher_algo (for example) uses strtol which returns long but val is an integer
- Integer Overflow in literals_seen
An attacker can craft a message with a compressed packet, which contains >= 2147483648 literal packets, overflowing the counter, and thus allowing multiple plaintext attacks mitigated by this counter to work again.
- Buffer overflow in stresc in testing file t-stringhelp.c
The function stresc in t-stringhelp.c suffers from an underallocation leading to a heap overflow. Furthermore, the function appears to be logically incorrect. The function seems to only be used in test code, however we still want to point out the bug to avoid future usage in production code. The first loop allocates two output characters per newline input character. However, in the second loop three output characters are written per newline character in the input. Additionally, the newline character itself is written among the output characters raising the question of whether the escaping is done correctly.
- ANSI Sequences and Other Binary Output gets Written to the Terminal Without Confirmation
ANSI sequences can deceive the user about legitimate program output from *GnuPG* such as log messages, and the message contents. As a security critical tool for end users we recommend *GnuPG* to warn the user before outputting non-printable data (other than common whitespace), e.g., in the fashion of the gzip utility.
- openpgp_oid_from_str has a wrong memory-safety assumption
The OID -1 would be parsed by strtoul as 4,294,967,295, which would be represented as more than 2 bytes.
It is currently unreachable with user input, but this assumption is wrong and can lead to future memory corruption vulnerabilities.