Skip to content

Buffer overflow and other minor issues in GnuPG and libksba - TFPA 001/2014

Fuzzing GnuPG uncovered a couple of issues with potential security impact. All issues found with american fuzzy lop and Address Sanitizer.

Buffer Overflow in OID decoding

A Buffer Overflow has been found in the OID decoding function with malformed OIDs. The code is shared between GnuPG and libksba. libksba is used for OID decoding by gpgsm and dirmngr. In GnuPG the error can be triggered by using the --list-packets parameter on the fuzzing sample.

The bug can be used for Denial of Service. Code execution is unlikely but cannot be ruled out.

Affected are GnuPG 2.1.0 and its beta versions and all libksba versions before 1.3.2. The issue is fixed in libksba 1.3.2 and will be fixed in the soon to be released GnuPG 2.1.1. GnuPG 2.0.x and 1.x versions are not affected.

libksba 1.3.2 release announcement
GnuPG commit / patch
libksba commit / patch
Fuzzing sample

Multiple invalid memory access issues

Malformed packets can cause access to uninitialized variables and an off by one access with --list-packets. A NULL pointer dereference can happen on --verify (already independently discovered and fixed). A malformed encrypted packet causes a call to BUG() (no security impact, just a funny error message). Likely all minor issues.

GnuPG commit / patch for uninitialized variable access
GnuPG commit / pach for NULL pointer deref
GnuPG commit / patch for off-by-one
Fuzzing sample uninitialized variable access
Fuzzing sample off-by-one
Fuzzing sample NULL pointer deref

All issues have been privately reported to GnuPG developer Werner Koch on 2014-11-23/24/25 who quickly fixed them.


More people should fuzz GnuPG.

Trackbacks on : PingBack

Unfortunately, the contents of this trackback can not be displayed. on : PingBack

Unfortunately, the contents of this trackback can not be displayed.

The Fuzzing Project on : Multiple issues in GnuPG found through keyring fuzzing (TFPA 001/2015)

Show preview
A complex tool like GnuPG has many ways to parse input data. I previously had fuzzed GnuPG which had led to the detection of a Buffer Overflow vulnerability in GnuPG and libksba (CVE-2014-9087). Recently I tried to fuzz less obvious inputs of GnuPG: Keyri


Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Form options