gnupg: CVE-2006-3082: remote denial of service / crash

Debian Bug report logs - #375052
gnupg: CVE-2006-3082: remote denial of service / crash

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gnupg: CVE-2006-3082: remote denial of service / crash

Date: Thu, 22 Jun 2006 19:35:47 -0400

Package: gnupg
Version: 1.4.3-1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3082: "parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and
earlier versions, allows remote attackers to cause a denial of service
(gpg crash) and possibly overwrite memory via a message packet with a
large length, which could lead to an integer overflow, as demonstrated
using the --no-armor option."

Test case:

  perl -e 'print "\xcd\xff\xff\xff\xff\xfe"'| gpg --no-armor

The test case will reproducibly crash gnupg in both sid and sarge.

There is a patch [1] in the GnuPG CVS that purports to fix the issue; I
have not yet tested to see if it does (or even if it applies cleanly).

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/g10/parse-packet.c?rev=4157&r1=4141&r2=4157&diff_format=u


- -- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages gnupg depends on:
ii  libbz2-1.0                  1.0.3-2      high-quality block-sorting file co
ii  libc6                       2.3.6-15     GNU C Library: Shared libraries
ii  libldap2                    2.1.30-13+b1 OpenLDAP libraries
ii  libreadline5                5.1-7        GNU readline and history libraries
ii  libusb-0.1-4                2:0.1.12-2   userspace USB programming library
ii  makedev                     2.3.1-81     creates device files in /dev
ii  zlib1g                      1:1.2.3-12   compression library - runtime

gnupg recommends no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEmylTAud/2YgchcQRAkR7AKCJKnxmQ/UIIJC5M/GAAki0164CawCfYnVo
+ByxhPRbhf9tg1DZYBd/FpU=
=KgL5
-----END PGP SIGNATURE-----

Message #10 received at 375052-close@bugs.debian.org (full text, mbox, reply):

From: James Troup <james@nocrew.org>

To: 375052-close@bugs.debian.org

Subject: Bug#375052: fixed in gnupg 1.4.3-2

Date: Fri, 23 Jun 2006 05:17:07 -0700

Source: gnupg
Source-Version: 1.4.3-2

We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive:

gnupg-udeb_1.4.3-2_i386.udeb
  to pool/main/g/gnupg/gnupg-udeb_1.4.3-2_i386.udeb
gnupg_1.4.3-2.diff.gz
  to pool/main/g/gnupg/gnupg_1.4.3-2.diff.gz
gnupg_1.4.3-2.dsc
  to pool/main/g/gnupg/gnupg_1.4.3-2.dsc
gnupg_1.4.3-2_i386.deb
  to pool/main/g/gnupg/gnupg_1.4.3-2_i386.deb
gpgv-udeb_1.4.3-2_i386.udeb
  to pool/main/g/gnupg/gpgv-udeb_1.4.3-2_i386.udeb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 375052@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Troup <james@nocrew.org> (supplier of updated gnupg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 23 Jun 2006 11:22:31 +0100
Source: gnupg
Binary: gnupg-udeb gnupg gpgv-udeb
Architecture: source i386
Version: 1.4.3-2
Distribution: unstable
Urgency: low
Maintainer: James Troup <james@nocrew.org>
Changed-By: James Troup <james@nocrew.org>
Description: 
 gnupg      - GNU privacy guard - a free PGP replacement
 gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
 gpgv-udeb  - minimal signature verification tool (udeb)
Closes: 375052
Changes: 
 gnupg (1.4.3-2) unstable; urgency=low
 .
   * 26_user_id_overflow.dpatch: new patch pulled from upstream SVN to fix
     a crash when processing overly large User ID packets [CVE-2006-3082].
     Thanks to Alec Berryman <alec@thened.net>. Closes: #375052
Files: 
 d6175682d03b5c7781c0d9e445ea3efb 1317 utils standard gnupg_1.4.3-2.dsc
 9dce7cdf225bf646e00641de77c4f519 22979 utils standard gnupg_1.4.3-2.diff.gz
 0fd13f889b22106543c6db0b1abfd6dd 1952548 utils standard gnupg_1.4.3-2_i386.deb
 4390b759f4cf5c0da01aedb641236329 126036 debian-installer extra gpgv-udeb_1.4.3-2_i386.udeb
 083292b106b5e6deb2185c8e4fdef5f2 348076 debian-installer extra gnupg-udeb_1.4.3-2_i386.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iQIVAwUBRJvYCNfD8TGrKpH1AQLlBg/+PcM+n733g56w4/kN4UHYtoXy6eTuFJms
LyTjO511Nm+lM8bX25znRZv835h4+HGlxAcAYHTIG/K+Flc90zcAN5P9h0D7GeT7
+6idTrO3nng1MyRW3HUAUbYdWqhpAo+LG0TSPJ3LjWLzoGyymEM9HAiaalVRspxr
wBlmXtLP53Y4tkRMb8xU+DG8c6NeZL6tq571Oza4TBj9woM9GY9HpWu6WNFNHKkz
js0OFdNp3b2Gr3LbWDWIEJWKDLoxw/RHnsPT+VoI/7wkeYFvrUnFs2mgCLsLp1g5
yoNbFSSYn3bT0O662Ay4TBdg7TWStWcURExCSoMKHM2nEqcgP0GZPCHgNy8atwal
Ib/4kYFdp1OnN7XyIKxAE0u4bRma09se92hkzQkIF9nnIwEyHpJInheTf09zM6PX
FW/Wpd8Dx4x1ae/EbtLWdTI4bm+t5QbeVVAG9FuKnp6eMUsvLDqiMlxOJbK1Tgi0
sWfpbllrgUfh8tr623FfswuA/ADs+WUGjAoTBW7+HKzYWXwLFuYFDoP/N4J8ROEx
T8mJMNJ9MijfIioQd0l7KcwceO7vxFwuk8wtthfcWYJ0TV7nd7B208KEnN4XGbqk
FxOa1wNqG9fLWG8zka/26QQ4Nh44EUAlfrLwexjStr5XJ8x2KkVcHLL/is5PkPmG
iscl8iYOuOY=
=MexS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.