Page MenuHome GnuPG
Create Task
Maniphest T8104

Heap oob read in libksba's parse_rdn
Closed, ResolvedPublic
Actions

Description

The hex-escape parsing loop in parse_rdn() has a double increment:

for (; hexdigitp (s); s++)
    s++;                      /* <-- BUG: extra increment */

The for-statement increments s at the end of each iteration, AND
the loop body also increments s, so the pointer advances by 2 per
iteration instead of 1. When the hex string has an odd number of
characters, or when the double-stepping causes the pointer to skip
past the null terminator, parse_rdn() reads past the end of the
heap-allocated buffer.

Reported-by: Francisco Tacliad

His full report for this finding is here:

x3 KBDownload

Disclose timeline for this and other findings:

2026-02-11 Initial report to security@gnupg.org
2026-02-12 Response from GnuPG team
2026-02-12 Detailed technical report (this document)

Revisions and Commits

rK libksba
rKb9e8f4b3d8d7 Fix double increment in DN parser while counting hexdigits.

Related Objects
Search...

StatusAssignedTask
 ResolvedNoneT8104 Heap oob read in libksba's parse_rdn
 ResolvedNoneT8105 Memory leak in BER decoder tree expansion
Unknown Object (Maniphest Task)

Event Timeline

werner triaged this task as Normal priority.Fri, Feb 13, 11:31 AM
werner created this task.
werner created this object in space Restricted Space.
werner created this object with edit policy "Contributor (Project)".
werner added a commit: rKb9e8f4b3d8d7: Fix double increment in DN parser while counting hexdigits..Fri, Feb 13, 4:32 PM
ikloecker added a subscriber: ikloecker.Tue, Feb 17, 9:38 AM

Looks like this spot was missed when T5037: dn.cpp:181: suspicious loop was fixed. In libkleo's copy of the DN parser I applied the fix in 2023. Too many copies!

werner mentioned this in T7174: Release libksba 1.6.8.Mon, Feb 23, 2:33 PM
werner closed this task as Resolved.Mon, Feb 23, 2:48 PM
werner shifted this object from the Restricted Space space to the S1 Public space.
werner closed subtask T8105: Memory leak in BER decoder tree expansion as Resolved.