Change Details

Found by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13756 Commit f799e9728bcadb3d4148a47848c78c5647860ea4 introduced a memory leak in import.c `pkt = xmalloc (sizeof *pkt);` gets allocated in `import` Bug can be reproduced with `{F630817}gpg --import clusterfuzz-testcase-minimized-fuzz_import-5751600352591872.dms` Bug was introduced in `import_secret_one` Patch should be checking `valid` value from `import_one` before calling `resync_sec_with_pub_keyblock`: ``` diff --git a/g10/import.c b/g10/import.c index 155792d5a..6a15cf565 100644 --- a/g10/import.c +++ b/g10/import.c @@ -2687,6 +2687,12 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock, NULL, NULL, options, 1, for_migration, screener, screener_arg, 0, NULL, &valid); + if (!valid) + { + err = gpg_error (GPG_ERR_NO_SECKEY); + goto leave; + } + /* The secret keyblock may not have nodes which are deleted in * the public keyblock. Otherwise we would import just the * secret key without having the public key. That would be @@ -2695,12 +2701,6 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock, if (err) goto leave; - if (!valid) - { - err = gpg_error (GPG_ERR_NO_SECKEY); - goto leave; - } - /* At least we cancel the secret key import when the public key import was skipped due to MERGE_ONLY option and a new key. */ ```

Found by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13756 Commit f799e9728bcadb3d4148a47848c78c5647860ea4 introduced a memory leak in import.c `pkt = xmalloc (sizeof *pkt);` gets allocated in `import` Bug can be reproduced with {F630817}: `gpg --import clusterfuzz-testcase-minimized-fuzz_import-5751600352591872.dms` Bug was introduced in `import_secret_one` Patch should be checking `valid` value from `import_one` before calling `resync_sec_with_pub_keyblock`: ``` diff --git a/g10/import.c b/g10/import.c index 155792d5a..6a15cf565 100644 --- a/g10/import.c +++ b/g10/import.c @@ -2687,6 +2687,12 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock, NULL, NULL, options, 1, for_migration, screener, screener_arg, 0, NULL, &valid); + if (!valid) + { + err = gpg_error (GPG_ERR_NO_SECKEY); + goto leave; + } + /* The secret keyblock may not have nodes which are deleted in * the public keyblock. Otherwise we would import just the * secret key without having the public key. That would be @@ -2695,12 +2701,6 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock, if (err) goto leave; - if (!valid) - { - err = gpg_error (GPG_ERR_NO_SECKEY); - goto leave; - } - /* At least we cancel the secret key import when the public key import was skipped due to MERGE_ONLY option and a new key. */ ```

Found by oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13756 Commit f799e9728bcadb3d4148a47848c78c5647860ea4 introduced a memory leak in import.c `pkt = xmalloc (sizeof *pkt);` gets allocated in `import` Bug can be reproduced with `{F630817}: `gpg --import clusterfuzz-testcase-minimized-fuzz_import-5751600352591872.dms` Bug was introduced in `import_secret_one` Patch should be checking `valid` value from `import_one` before calling `resync_sec_with_pub_keyblock`: ``` diff --git a/g10/import.c b/g10/import.c index 155792d5a..6a15cf565 100644 --- a/g10/import.c +++ b/g10/import.c @@ -2687,6 +2687,12 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock, NULL, NULL, options, 1, for_migration, screener, screener_arg, 0, NULL, &valid); + if (!valid) + { + err = gpg_error (GPG_ERR_NO_SECKEY); + goto leave; + } + /* The secret keyblock may not have nodes which are deleted in * the public keyblock. Otherwise we would import just the * secret key without having the public key. That would be @@ -2695,12 +2701,6 @@ import_secret_one (ctrl_t ctrl, kbnode_t keyblock, if (err) goto leave; - if (!valid) - { - err = gpg_error (GPG_ERR_NO_SECKEY); - goto leave; - } - /* At least we cancel the secret key import when the public key import was skipped due to MERGE_ONLY option and a new key. */ ```