Change Details

Hi, I found a bug in the decryption routine of gpg with the help of afl and asan. It arises from the addition of the line 1145 through which it is possible to decrement the pktlen variable five times even if it only has the value of 4. Since it is and unsigned long int this leads to undefined behaviour later on in the code. The risk of exploitation is mitigated by the assertation on line 1209. cheers jfe

Hi, I found a bug in the decryption routine of gpg with the help of afl and asan. It arises from line 1145 through which it is possible to decrement the pktlen variable five times even if it only has the value of 4. Since it is and unsigned long int this leads to undefined behaviour later on in the code. The risk of exploitation is mitigated by the assertion on line 1209. Nevertheless it is still serious enough to warrant fixing. A possible fix would be to increase the minimum length of pktlen to 5 on line 1110. cheers jfe

Hi, I found a bug in the decryption routine of gpg with the help of afl and asan. It arises from the addition of the line 1145 through which it is possible to decrement the pktlen variable five times even if it only has the value of 4. Since it is and unsigned long int this leads to undefined behaviour later on in the code. The risk of exploitation is mitigated by the assertion on line 1209. Nevertheless it is still serious enough to warrant fixing. The risk of exploitation is mitigated by the assertationA possible fix would be to increase the minimum length of pktlen to 5 on line 1209110. cheers jfe