dirmngr may use an uninitalized struct in the DNS code.
Testing, NormalPublic
Actions

Assigned To

None

Authored By

	• werner
	Thu, May 7, 9:14 AM

Description

As reported by Ciwan Öztopal on 2026-0427:

The bug is in dirmngr's bundled libdns resolver code. In dns_rr_cmp, two
union dns_any values are allocated on the stack without initialization and
passed into dns_any_parse. In that path, dns_any_parse calls
dns_any_reinit, which uses dns_any_sizeof(any) and therefore reads
any->rdata.size from uninitialized stack state. For TXT handling,
dns_txt_parse then uses the resulting size in its bounds logic.

A fix is straightforward but it would be useful to scrutinize the use of the union dns_any in more detail.

Revisions and Commits

rG GnuPG
	rG21a8f3642072 dirmngr: Fix uninitialized use of union dns_any in dns_rr_cmp.

Related Objects

Mentioned In: T7997: Release GnuPG 2.5.20

Event Timeline

• werner triaged this task as Normal priority.Thu, May 7, 9:14 AM

• werner created this task.

• werner created this object with edit policy "Contributor (Project)".

• werner added a commit: rG21a8f3642072: dirmngr: Fix uninitialized use of union dns_any in dns_rr_cmp..Thu, May 7, 12:41 PM

• werner mentioned this in T7997: Release GnuPG 2.5.20.Wed, May 13, 3:11 PM

• werner changed the task status from Open to Testing.Wed, May 13, 3:17 PM

• werner moved this task from Backlog to WIP on the gnupg26 board.

dirmngr may use an uninitalized struct in the DNS code.Testing, NormalPublicActions

Description

Revisions and Commits

Related Objects

Event Timeline

dirmngr may use an uninitalized struct in the DNS code.
Testing, NormalPublic
Actions