Buffer overflow and other minor issues in GnuPG and libksba - TFPA 001/2014
Fuzzing GnuPG uncovered a couple of issues with potential security impact. All issues found with american fuzzy lop and Address Sanitizer.
Buffer Overflow in OID decoding
A Buffer Overflow has been found in the OID decoding function with malformed OIDs. The code is shared between GnuPG and libksba. libksba is used for OID decoding by gpgsm and dirmngr. In GnuPG the error can be triggered by using the --list-packets parameter on the fuzzing sample.
The bug can be used for Denial of Service. Code execution is unlikely but cannot be ruled out.
Affected are GnuPG 2.1.0 and its beta versions and all libksba versions before 1.3.2. The issue is fixed in libksba 1.3.2 and will be fixed in the soon to be released GnuPG 2.1.1. GnuPG 2.0.x and 1.x versions are not affected.
libksba 1.3.2 release announcement
GnuPG commit / patch
libksba commit / patch
Fuzzing sample
CVE-2014-9087
Multiple invalid memory access issues
Malformed packets can cause access to uninitialized variables and an off by one access with --list-packets. A NULL pointer dereference can happen on --verify (already independently discovered and fixed). A malformed encrypted packet causes a call to BUG() (no security impact, just a funny error message). Likely all minor issues.
GnuPG commit / patch for uninitialized variable access
GnuPG commit / pach for NULL pointer deref
GnuPG commit / patch for off-by-one
Fuzzing sample uninitialized variable access
Fuzzing sample off-by-one
Fuzzing sample NULL pointer deref
All issues have been privately reported to GnuPG developer Werner Koch on 2014-11-23/24/25 who quickly fixed them.
Conclusion
More people should fuzz GnuPG.
Buffer Overflow in OID decoding
A Buffer Overflow has been found in the OID decoding function with malformed OIDs. The code is shared between GnuPG and libksba. libksba is used for OID decoding by gpgsm and dirmngr. In GnuPG the error can be triggered by using the --list-packets parameter on the fuzzing sample.
The bug can be used for Denial of Service. Code execution is unlikely but cannot be ruled out.
Affected are GnuPG 2.1.0 and its beta versions and all libksba versions before 1.3.2. The issue is fixed in libksba 1.3.2 and will be fixed in the soon to be released GnuPG 2.1.1. GnuPG 2.0.x and 1.x versions are not affected.
libksba 1.3.2 release announcement
GnuPG commit / patch
libksba commit / patch
Fuzzing sample
CVE-2014-9087
Multiple invalid memory access issues
Malformed packets can cause access to uninitialized variables and an off by one access with --list-packets. A NULL pointer dereference can happen on --verify (already independently discovered and fixed). A malformed encrypted packet causes a call to BUG() (no security impact, just a funny error message). Likely all minor issues.
GnuPG commit / patch for uninitialized variable access
GnuPG commit / pach for NULL pointer deref
GnuPG commit / patch for off-by-one
Fuzzing sample uninitialized variable access
Fuzzing sample off-by-one
Fuzzing sample NULL pointer deref
All issues have been privately reported to GnuPG developer Werner Koch on 2014-11-23/24/25 who quickly fixed them.
Conclusion
More people should fuzz GnuPG.
Trackbacks
www.us-cert.gov on : PingBack
Unfortunately, the contents of this trackback can not be displayed.007software.net on : PingBack
Unfortunately, the contents of this trackback can not be displayed.The Fuzzing Project on : Multiple issues in GnuPG found through keyring fuzzing (TFPA 001/2015)
Show preview
A complex tool like GnuPG has many ways to parse input data. I previously had fuzzed GnuPG which had led to the detection of a Buffer Overflow vulnerability in GnuPG and libksba (CVE-2014-9087). Recently I tried to fuzz less obvious inputs of GnuPG: Keyri
Comments
Display comments as Linear | Threaded