Debian Bug report logs -
#381204
GnuPG security hole in memory allocation
Reported by: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>
Date: Wed, 2 Aug 2006 20:33:16 UTC
Severity: grave
Tags: security
Found in version gnupg/1.4.3-2
Fixed in version 1.4.5-1
Done: James Troup <james@nocrew.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#381204
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>
:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: gnupg
Version: 1.4.3-2
Severity: grave
Tags: security
GnuPG 1.4.5 corrects some potential security problems in memory
allocation. From
http://lists.gnupg.org/pipermail/gnupg-announce/2006q3/000229.html :
* Fixed 2 more possible memory allocation attacks. They are
similar to the problem we fixed with 1.4.4. This bug can easily
be be exploted for a DoS; remote code execution is not entirely
impossible.
I am inclined to say that this is grave, but since gnupg tends to do
memory allocation before it drops privileges, you might find that this
is critical instead. If you drop the SUID privileges, then it certainly
does not exceed grave.
I do not have a CVE number for this.
--
($_,$a)=split/\t/,join'',map{unpack'u',$_}<DATA>;eval$a;print;__DATA__
M961H<F$@8FAM;"!U<F%O<G-U(#QU<F%O<G-U0&=D:75M<&UC8VUL=G)U;6LN
M<FUL+F=Y/@H)>2QA8F-D969G:&EJ:VQM;F]P<7)S='5V=WAY>BQN=V]R8FMC
5:75Q96AT9V1Y>F%L=G-P;6IX9BP)
[Message part 2 (application/pgp-signature, inline)]
Reply sent to James Troup <james@nocrew.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 381204-done@bugs.debian.org (full text, mbox, reply):
Version: 1.4.5-1
"Brian M. Carlson" <sandals@crustytoothpaste.ath.cx> writes:
> Package: gnupg
> Version: 1.4.3-2
> Severity: grave
> Tags: security
>
> GnuPG 1.4.5 corrects some potential security problems in memory
> allocation.
http://lists.debian.org/debian-devel-changes/2006/08/msg00072.html
--
James
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#381204
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #15 received at 381204@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I extracted a minimal patch from 1.4.5 for the Sarge security update.
This has been assigned CVE-2006-3746.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[gnupg.CVE-2006-3746.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#381204
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Werner Koch <wk@gnupg.org>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Message #20 received at submit@bugs.debian.org (full text, mbox, reply):
On Wed, 2 Aug 2006 21:37, Brian M. Carlson said:
> I am inclined to say that this is grave, but since gnupg tends to do
> memory allocation before it drops privileges, you might find that this
The allocation problem, which is overflow like
malloc(numbercontrolledbyuser+20), can only happen after privs are
dropped. It is in the parser of the actual OpenPGP data. So there is
no privilege escalation just a "normal" remote code execution
possible.
BTW, In general I don't think it is worth to install gpg suid(root);
there are too may other bugs in the entire OS which will make it
easier to get the password than through a swap file.
Salam-Shalom,
Werner
Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>
:
Bug#381204
; Package gnupg
.
(full text, mbox, link).
Acknowledgement sent to Werner Koch <wk@gnupg.org>
:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 10:22:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:24:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.