Maniphest T8277

Potential use-after-free in keygen when handling keyserver option
Testing, NormalPublic
Actions

Assigned To
gniibe
Authored By
pl13
Thu, May 28, 8:54 AM
Tags
Subscribers
gniibe
pl13

Description

Here is a snippet from a report we received on 2026-05-26

we got a report from AISLE about potential use after free in gpg keygen,
while processing the keyserver attribute, when generating multiple keys in
batch mode.

This is caused by the ownership mismatch of the opt.def_keyserver_url.
which is not copied from the first block context, but reused in the second
block.

I do not think this is practically exploitable as it would require users to
process "malicious" batch files, but I still think its worth fixing at your
own timeline.

Reproducer:

cat > params.txt <<'EOF'
Key-Type: RSA
Subkey-Type: RSA
Name-Real: UAF One
Name-Email: one@example.org
Expire-Date: 0
Keyserver: hkps://keys.openpgp.org
%no-protection
%commit

Key-Type: RSA
Subkey-Type: RSA
Name-Real: UAF Two
Name-Email: two@example.org
Expire-Date: 0
%no-protection
%commit
'EOF'
valgrind gpg --batch --generate-key params.txt

Reported by: Jakub Jelen, Found by AISLE in partnership with Red Hat

Revisions and Commits

rG GnuPG
rGb42f8da77c5a gpg:keygen: Fix setting keyserver_url in key generation.

Event Timeline

pl13 created this task.Thu, May 28, 8:54 AM
pl13 created this object in space Restricted Space.
pl13 created this object with visibility "g10code (Project)".
pl13 created this object with edit policy "g10code (Project)".
gniibe claimed this task.Thu, May 28, 10:07 AM
gniibe triaged this task as Normal priority.
gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Jun 1, 3:26 AM
gniibe added a commit: rGb42f8da77c5a: gpg:keygen: Fix setting keyserver_url in key generation..Tue, Jun 2, 3:36 AM
gniibe changed the task status from Open to Testing.Mon, Jun 8, 2:52 AM
gniibe moved this task from Backlog to QA on the gnupg26 board.Mon, Jun 8, 2:56 AM
gniibe shifted this object from the Restricted Space space to the S1 Public space.Mon, Jun 8, 3:21 AM
gniibe changed the visibility from "g10code (Project)" to "Public (No Login Required)".
gniibe changed the edit policy from "g10code (Project)" to "All Users".
gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Jun 8, 3:32 AM