Multiple issues in GnuPG found through keyring fuzzing (TFPA 001/2015)

2015.02.14
Credit: Hanno Bock
Risk: Medium
Local: Yes
Remote: No
CWE: N/A

Advisory published here: https://blog.fuzzing-project.org/5-Multiple-issues-in-GnuPG-found-through-keyring-fuzzing-TFPA-0012015.html A complex tool like GnuPG has many ways to parse input data. I previously had fuzzed GnuPG which had led to the detection of a Buffer Overflow vulnerability in GnuPG and libksba (CVE-2014-9087). Recently I tried to fuzz less obvious inputs of GnuPG: Keyrings and configuration files. GnuPG allows to specify a non-standard keyring on the command line. Fuzzing GPG with gpg --export --no-default-keyring --keyring [input keyring] led to the detection of various issues. (Please note that the keyring parameter needs the full path and does not like filenames with unusual characters like the ones generated by american fuzzy lop.) NULL pointer deref in parse_trust (parse-packet.c) http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=39978487863066e59bb657f5fe4e8baab510da7e https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-null-ptr-1 NULL pointer deref in do_key (build-packet.c) http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=0835d2f44ef62eab51fce6a927908f544e01cf8f https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-null-ptr-2 Use after free (build-packet.c) http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648 https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-use-after-free memcpy with overlapping ranges (keybox_search.c) http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392 https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-memcpy-overlap All issues found with american fuzzy lop. Fuzzing of the configuration file parser showed no issues. While keyrings are usually not user-submitted data, some of these can be reached through other code paths. None of the issues looks severe, however judging the exact security would require further analysis. Timeline: 2015-02-06 Reported three issues to GnuPG developer Werner Koch 2015-02-09 ALl reported issues fixed in git 2015-02-09 Reported one more issue to Werner Koch 2015-02-11 Last issue fixed in git 2015-02-11 Release of GnuPG 2.1.2 containing all fixes -- Hanno Bock http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42

References:

http://seclists.org/oss-sec/2015/q1/551
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=39978487863066e59bb657f5fe4e8baab510da7e
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-null-ptr-1
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=0835d2f44ef62eab51fce6a927908f544e01cf8f
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-null-ptr-2
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f0f71a721ccd7ab9e40b8b6b028b59632c0cc648
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-use-after-free
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2183683bd633818dd031b090b5530951de76f392
https://crashes.fuzzing-project.org/TFPA-2015-01-gnupg-keyring-memcpy-overlap


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top