Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

pgpdump: CVE-2016-4021: endless loop parsing specially crafted input

Related Vulnerabilities: CVE-2016-4021  

Source

Debian Bug report logs - #773747
pgpdump: CVE-2016-4021: endless loop parsing specially crafted input

version graph

Package: pgpdump; Maintainer for pgpdump is Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>; Source for pgpdump is src:pgpdump (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Mon, 22 Dec 2014 21:33:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions pgpdump/0.27-1, pgpdump/0.28-1

Fixed in version pgpdump/0.31-0.1

Done: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/kazu-yamamoto/pgpdump/pull/16

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Jose Luis Rivas <ghostbar@debian.org>:
Bug#773747; Package pgpdump. (Mon, 22 Dec 2014 21:33:07 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pgpdump: infinite loop on crafted file
Date: Mon, 22 Dec 2014 22:31:07 +0100
Package: pgpdump
Version: 0.28-1
Usertags: afl

pgpdump hangs when trying to dump the attached crafted file.

strace tells me it's repeatedly trying to read past EOF:

read(0, "", 8192)                       = 0
read(0, "", 8192)                       = 0
read(0, "", 8192)                       = 0
read(0, "", 8192)                       = 0
read(0, "", 8192)                       = 0
[...ad infinitum...]

This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages pgpdump depends on:
ii  libbz2-1.0  1.0.6-7+b2
ii  libc6       2.19-13
ii  zlib1g      1:1.2.8.dfsg-2+b1

-- 
Jakub Wilk

Information forwarded to debian-bugs-dist@lists.debian.org, Jose Luis Rivas <ghostbar@debian.org>:
Bug#773747; Package pgpdump. (Mon, 22 Dec 2014 21:45:05 GMT) (full text, mbox, link).

Message #6 received at 773747@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 773747@bugs.debian.org
Subject: Re: Bug#773747: pgpdump: infinite loop on crafted file
Date: Mon, 22 Dec 2014 22:41:49 +0100
[Message part 1 (text/plain, inline)]
* Jakub Wilk <jwilk@debian.org>, 2014-12-22, 22:31:
>pgpdump hangs when trying to dump the attached crafted file.

Now really attached.

-- 
Jakub Wilk

[hang.pgp (application/pgp-encrypted, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jose Luis Rivas <ghostbar@debian.org>:
Bug#773747; Package pgpdump. (Mon, 22 Dec 2014 21:57:27 GMT) (full text, mbox, link).

Message #9 received at 773747@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: 773747@bugs.debian.org
Subject: Re: Bug#773747: pgpdump: infinite loop on crafted file
Date: Mon, 22 Dec 2014 22:52:03 +0100
* Jakub Wilk <jwilk@debian.org>, 2014-12-22, 22:41:
>>pgpdump hangs when trying to dump the attached crafted file.
>Now really attached.

But my MUA mangled it somehow. :-(

Third time lucky. This command hangs:

printf '\243\003' | pgpdump

-- 
Jakub Wilk

Information forwarded to debian-bugs-dist@lists.debian.org, Jose Luis Rivas <ghostbar@debian.org>:
Bug#773747; Package pgpdump. (Mon, 22 Dec 2014 22:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jose-Luis Rivas <ghostbar@riseup.net>:
Extra info received and forwarded to list. Copy sent to Jose Luis Rivas <ghostbar@debian.org>. (Mon, 22 Dec 2014 22:15:04 GMT) (full text, mbox, link).

Message #14 received at 773747@bugs.debian.org (full text, mbox, reply):

From: Jose-Luis Rivas <ghostbar@riseup.net>
To: Jakub Wilk <jwilk@debian.org>, 773747@bugs.debian.org
Subject: Re: Bug#773747: pgpdump: infinite loop on crafted file
Date: Mon, 22 Dec 2014 17:12:59 -0500
[Message part 1 (text/plain, inline)]
On 22/12/14, 10:31pm, Jakub Wilk wrote:
> Package: pgpdump
> Version: 0.28-1
> Usertags: afl
> 
> pgpdump hangs when trying to dump the attached crafted file.
> 
> strace tells me it's repeatedly trying to read past EOF:
> 
> read(0, "", 8192)                       = 0
> read(0, "", 8192)                       = 0
> read(0, "", 8192)                       = 0
> read(0, "", 8192)                       = 0
> read(0, "", 8192)                       = 0
> [...ad infinitum...]
> 
> This bug was found using American fuzzy lop:
> https://packages.debian.org/experimental/afl

Hi Jakub, what's the precise file you are trying here? Never got
anything attached here.

Kind regards.

-- 
⨳ PGP 0x13EC43EEB9AC8C43 ⨳ https://ghostbar.co

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jose Luis Rivas <ghostbar@debian.org>:
Bug#773747; Package pgpdump. (Mon, 22 Dec 2014 22:15:08 GMT) (full text, mbox, link).

Acknowledgement sent to Jose-Luis Rivas <ghostbar@riseup.net>:
Extra info received and forwarded to list. Copy sent to Jose Luis Rivas <ghostbar@debian.org>. (Mon, 22 Dec 2014 22:15:08 GMT) (full text, mbox, link).

Message #19 received at 773747@bugs.debian.org (full text, mbox, reply):

From: Jose-Luis Rivas <ghostbar@riseup.net>
To: Jakub Wilk <jwilk@debian.org>, 773747@bugs.debian.org
Subject: Re: Bug#773747: pgpdump: infinite loop on crafted file
Date: Mon, 22 Dec 2014 17:14:24 -0500
[Message part 1 (text/plain, inline)]
On 22/12/14, 10:52pm, Jakub Wilk wrote:
> * Jakub Wilk <jwilk@debian.org>, 2014-12-22, 22:41:
> >>pgpdump hangs when trying to dump the attached crafted file.
> >Now really attached.
> 
> But my MUA mangled it somehow. :-(
> 
> Third time lucky. This command hangs:
> 
> printf '\243\003' | pgpdump
> 
> -- 
> Jakub Wilk

Just got this messages, thanks, now it's actually attached.

-- 
⨳ PGP 0x13EC43EEB9AC8C43 ⨳ https://ghostbar.co

[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'pgpdump: CVE-2016-4021: endless loop parsing specially crafted input' from 'pgpdump: infinite loop on crafted file'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 21 Apr 2016 05:27:03 GMT) (full text, mbox, link).

Added tag(s) security, upstream, and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 21 Apr 2016 05:27:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/kazu-yamamoto/pgpdump/pull/16'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 21 Apr 2016 05:27:04 GMT) (full text, mbox, link).

Marked as found in versions pgpdump/0.27-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 21 Apr 2016 05:27:05 GMT) (full text, mbox, link).

Severity set to 'grave' from 'normal' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Tue, 20 Sep 2016 14:45:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Jose Luis Rivas <ghostbar@debian.org>:
Bug#773747; Package pgpdump. (Wed, 05 Oct 2016 04:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jose Luis Rivas <ghostbar@debian.org>. (Wed, 05 Oct 2016 04:51:03 GMT) (full text, mbox, link).

Message #34 received at 773747@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: 773747@bugs.debian.org
Subject: Re: Bug#773747: pgpdump: infinite loop on crafted file
Date: Wed, 05 Oct 2016 12:46:56 +0800
[Message part 1 (text/plain, inline)]
On Mon, 22 Dec 2014 17:14:24 -0500 Jose-Luis Rivas wrote:
> On 22/12/14, 10:52pm, Jakub Wilk wrote:
> > This command hangs:
> > 
> > printf '\243\003' | pgpdump
> 
> Just got this messages, thanks, now it's actually attached.

This is fixed in upstream version 0.30, please upload it.

Please include the CVE number in the changelog.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Reply sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
You have taken responsibility. (Wed, 23 Nov 2016 06:36:03 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Wed, 23 Nov 2016 06:36:03 GMT) (full text, mbox, link).

Message #39 received at 773747-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: 773747-close@bugs.debian.org
Subject: Bug#773747: fixed in pgpdump 0.31-0.1
Date: Wed, 23 Nov 2016 06:33:53 +0000
Source: pgpdump
Source-Version: 0.31-0.1

We believe that the bug you reported is fixed in the latest version of
pgpdump, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773747@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated pgpdump package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Nov 2016 01:23:35 -0500
Source: pgpdump
Binary: pgpdump
Architecture: source
Version: 0.31-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jose Luis Rivas <ghostbar@debian.org>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Description:
 pgpdump    - PGP packet visualizer
Closes: 773747 845390
Changes:
 pgpdump (0.31-0.1) unstable; urgency=medium
 .
   [ Daniel Kahn Gillmor ]
   * Non-maintainer upload (Closes: #845390, #773747)
   * use https URLs for Vcs-*
   * wrap-and-sort -ast
   * use dh_autoreconf
   * move to dh 10
   * imported patches from Peter Pentchev, already upstreamed
   * make debian/test work correctly
   * set up autopkgtest
 .
   [ Peter Pentchev ]
   * Bump Standards-Version to 3.9.8 with no changes.
   * Switch to HTTPS for the copyright format spec URL, too.
   * Break the BSD-3-clause license into a separate section.
   * Drop the dirs file, the upstream build system creates them.
   * Enable all the hardening build options.
   * Switch to the 3.0 (quilt) source format.
   * Add Multi-Arch: foreign to the binary package.
   * Add an upstream metadata file.
Checksums-Sha1:
 e8338d32439ddbdfe83fb8c854f383bcb405766d 2068 pgpdump_0.31-0.1.dsc
 cbf4023556257818efbefd91a13e3b57b56af17f 64012 pgpdump_0.31.orig.tar.gz
 14fa6e10f08fc6c79f443f5bb885f0b9ade4ca33 6028 pgpdump_0.31-0.1.debian.tar.xz
Checksums-Sha256:
 4347417df739ef3636820a3e08edd487127c51929c0b855d3fb198a0b3895746 2068 pgpdump_0.31-0.1.dsc
 7abf04a530c902cfb1f1a81c6b5fb88bd2c12b5f3c37dceb1245bfe28f2a7c0b 64012 pgpdump_0.31.orig.tar.gz
 bc613d133f844a6cebb4e077b232d33602842418b0cc60ce6c489e4a63d3b319 6028 pgpdump_0.31-0.1.debian.tar.xz
Files:
 0b283303b984b8bee9180d27ff7838a4 2068 utils optional pgpdump_0.31-0.1.dsc
 7defa0e9d7a12d254107d775c317430a 64012 utils optional pgpdump_0.31.orig.tar.gz
 af50db070d1ed7902724d069d712f51d 6028 utils optional pgpdump_0.31-0.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKqBAEBCgCUFiEE7bLnT1b88rZyl7c1JOz/Wv9oNwoFAlg1N5VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVE
QjJFNzRGNTZGQ0YyQjY3Mjk3QjczNTI0RUNGRjVBRkY2ODM3MEEWHGRrZ0BmaWZ0
aGhvcnNlbWFuLm5ldAAKCRAk7P9a/2g3CqdDD/4+XbAY6MdsHhgw3gURfCi4L1iW
lfk6ysp1wRQiNbhlBt8Q3cigw6cm0201nsmHfeeagEgBB9BEpxA7v6AtFyeAMIx0
z8laIRSDKaHyA/4gwi8FIv7ozctyZtVkEmRY3Dp1tWUvawzRtVw972Hvc5IzuGEz
GJSGT90GvBhJD43JO+OBNMEH5QmNM9CMGZXFoHsk5wkvgFQM8shDNVoqNF6MGj9t
IQ4jyZgezr6kbmZAcQkHyF6umpDFe7LMcIf5YWARaNjhBGM0rXR02btC3x6QWe40
PZvf+rVqxS+RnO0WSX6A9ZLqQRiyaWcHyApG4OCkHDFVUK3oqZCbp9OyAPadsujC
7cEgog73HOU7bTvbYi10mosgu1ZzVtWHJ23nAFhgVZ7xAOUfYZE2AUyYGFwaGsem
WE5Ls6C03Br1BGRVCGEr+v58a9+brGe46fVXHJWQIduzgT34us05+MrFiWhcPPho
yEP5C0lE8qDL72HIPOJVxKOdQaAo0b+rBy8rgnKbDowot9m81uWKZmY7+fzURb2E
yupf0aRUF1VVcuIc7S6iV7tntiSqnRtJHJZTk7vB3/slAorPHoHszwoY0dbtBLCx
phUDgmVWaHh4VTEXKjylyfOWpAsqHyzTvqdzTpLijVr1DIF07Dm0NL+XgZHTBXyL
/+AcGAX9fIzlHYXj0w==
=J2DK
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2016 08:35:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:06:10 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started