Change Details

* Integer Truncation of Input Arguments - `string_to_cipher_algo` (for example) uses `strtol` which returns long but `val` is an integer - `opengpg_oid_from_str` is another case * Integer Overflow in `literals_seen` > An attacker can craft a message with a compressed packet, which contains >= `2147483648` literal packets, overflowing the counter, and thus allowing multiple plaintext attacks mitigated by this counter to work again. * Buffer overflow in `stresc` in testing file `t-stringhelp.c` > The function `stresc` in `t-stringhelp.c` suffers from an underallocation leading to a heap overflow. Furthermore, the function appears to be logically incorrect. The function seems to only be used in test code, however we still want to point out the bug to avoid future usage in production code. The first loop allocates **two** output characters per newline input character. However, in the second loop **three** output characters are written per newline character in the input. Additionally, the newline character itself is written among the output characters raising the question of whether the escaping is done correctly. * ANSI Sequences and Other Binary Output gets Written to the Terminal Without Confirmation > ANSI sequences can deceive the user about legitimate program output from *GnuPG* such as log messages, and the message contents. As a security critical tool for end users we recommend *GnuPG* to warn the user before outputting non-printable data (other than common whitespace), e.g., in the fashion of the gzip utility. * openpgp_oid_from_str has a wrong memory-safety assumption > The OID -1 would be parsed by `strtoul` as 4,294,967,295, which would be represented as more than 2 bytes. > > It is currently unreachable with user input, but this assumption is wrong and can lead to future memory corruption vulnerabilities.

* Integer Truncation of Input Arguments - `string_to_cipher_algo` (for example) uses `strtol` which returns long but `val` is an integer - `opengpg_oid_from_str` is another case * Integer Overflow in `literals_seen` > An attacker can craft a message with a compressed packet, which contains >= `2147483648` literal packets, overflowing the counter, and thus allowing multiple plaintext attacks mitigated by this counter to work again. * Buffer overflow in `stresc` in testing file `t-stringhelp.c` > The function `stresc` in `t-stringhelp.c` suffers from an underallocation leading to a heap overflow. Furthermore, the function appears to be logically incorrect. The function seems to only be used in test code, however we still want to point out the bug to avoid future usage in production code. The first loop allocates **two** output characters per newline input character. However, in the second loop **three** output characters are written per newline character in the input. Additionally, the newline character itself is written among the output characters raising the question of whether the escaping is done correctly. * ANSI Sequences and Other Binary Output gets Written to the Terminal Without Confirmation > ANSI sequences can deceive the user about legitimate program output from *GnuPG* such as log messages, and the message contents. As a security critical tool for end users we recommend *GnuPG* to warn the user before outputting non-printable data (other than common whitespace), e.g., in the fashion of the gzip utility. * openpgp_oid_from_str has a wrong memory-safety assumption > The OID -1 would be parsed by `strtoul` as 4,294,967,295, which would be represented as more than 2 bytes. > > It is currently unreachable with user input, but this assumption is wrong and can lead to future memory corruption vulnerabilities.

* Integer Truncation of Input Arguments - `string_to_cipher_algo` (for example) uses `strtol` which returns long but `val` is an integer - `opengpg_oid_from_str` is another case * Integer Overflow in `literals_seen` > An attacker can craft a message with a compressed packet, which contains >= `2147483648` literal packets, overflowing the counter, and thus allowing multiple plaintext attacks mitigated by this counter to work again. * Buffer overflow in `stresc` in testing file `t-stringhelp.c` > The function `stresc` in `t-stringhelp.c` suffers from an underallocation leading to a heap overflow. Furthermore, the function appears to be logically incorrect. The function seems to only be used in test code, however we still want to point out the bug to avoid future usage in production code. The first loop allocates **two** output characters per newline input character. However, in the second loop **three** output characters are written per newline character in the input. Additionally, the newline character itself is written among the output characters raising the question of whether the escaping is done correctly. * ANSI Sequences and Other Binary Output gets Written to the Terminal Without Confirmation > ANSI sequences can deceive the user about legitimate program output from *GnuPG* such as log messages, and the message contents. As a security critical tool for end users we recommend *GnuPG* to warn the user before outputting non-printable data (other than common whitespace), e.g., in the fashion of the gzip utility. * openpgp_oid_from_str has a wrong memory-safety assumption > The OID -1 would be parsed by `strtoul` as 4,294,967,295, which would be represented as more than 2 bytes. > > It is currently unreachable with user input, but this assumption is wrong and can lead to future memory corruption vulnerabilities.