[Full-Disclosure] GnuPG 1.2.3, 1.3.3 external HKP interface format string issue

From: S-Quadra Security Research (research_at_s-quadra.com)
Date: 12/03/03

  • Next message: hugh_fraser_at_dofasco.ca: "RE: [Full-Disclosure] Vulnerability Scans"
    To: full-disclosure <full-disclosure@lists.netsys.com>, bugtraq <bugtraq@securityfocus.com>
    Date: Wed, 03 Dec 2003 16:30:38 +0300
    
    

              
                S-Quadra Advisory #2003-12-03

    Topic: GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
    Severity: Low
    Vendor URL: http://www.gnupg.org
    Advisory URL: http://www.s-quadra.com/advisories/Adv-20031203.txt
    Release date: 3 Dec 2003

    1. DESCRIPTION

    GnuPG is a complete and free replacement for PGP.
    Because it does not use the patented IDEA algorithm, it can be used
    without any restrictions.
    GnuPG is a RFC2440 (OpenPGP) compliant application.

    GnuPG has external HKP inteface which is marked as experimental and not
    enabled by default in 1.2 stable branch and to use it you should compile
    GnuPG with '--enable-external-hkp' configuration option.
    Also, on 1.3 devel branch external HKP interface is enabled by default
    and to disable you should compile GnuPG with '--disable-hkp'
    configuration option.

    When the external HKP interface is enabled, GnuPG will make use of
    'gpgkeys_hkp' utility for keyserver accesses.

    There exists a format string vulnerability in 'gpgkeys_hkp' utility
    which would allow a malicious
    keyserver in the worst case to execute an arbitrary code on the user's
    machine.

    2. DETAILS

    The offending code can be found in keyserver/gpgkeys_hkp.c:

    <snip>
    int get_key(char *getkey)
    {
      int rc,gotit=0;
      char search[29];
      char *request;
      struct http_context hd;

      ...
     
      if(verbose>2)
        fprintf(console,"gpgkeys: HTTP URL is \"%s\"\n",request);

      rc=http_open_document(&hd,request,http_flags);
      if(rc!=0)
        {
          fprintf(console,"gpgkeys: HKP fetch error: %s\n",
              rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc));
          fprintf(output,"KEY 0x%s FAILED\n",getkey);
        }
      else
        {
          unsigned int maxlen=1024,buflen;
          byte *line=NULL;

          while(iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen))
        {
          maxlen=1024;

          if(gotit)
            {
              // S-Quadra: here is where format string bug lives
              fprintf(output,line);
              if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0)
            break;
            }
          else
            if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0)
              {
                // S-Quadra: here is where format string bug lives
            fprintf(output,line);
            gotit=1;
              }
        }
      ...
      return 0;
    }

    </snip>

    3. FIX INFORMATION

    S-Quadra alerted GnuPG development team to this issue on 27th November 2003.
    For 1.2 branch fix available in CVS, latest devel version 1.3.4 also
    contains fix for the reported bug.

    4. CREDITS

    Evgeny Legerov <e.legerov@s-quadra.com> is responsible for discovering
    this issue.

    5. ABOUT

    S-Quadra offers services in computer security, penetration testing and
    network assesment,
    web application security, source code review and third party product
    vulnerability assesment,
    forensic support and reverse engineering.

    Security is an art and our goal is to bring responsible and high quality
    security
    service to the IT market, customized to meet the unique needs of each
    individual client.

    S-Quadra, (pronounced es quadra), is not an acronym.
    It's unique, creative and innovative - just like the security services
    we bring to our clients.

                S-Quadra Advisory #2003-12-03

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: hugh_fraser_at_dofasco.ca: "RE: [Full-Disclosure] Vulnerability Scans"

    Relevant Pages

    • GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
      ... Vendor URL: http://www.gnupg.org ... GnuPG is a complete and free replacement for PGP. ... on 1.3 devel branch external HKP interface is enabled by default ... web application security, source code review and third party product ...
      (Full-Disclosure)
    • GnuPG 1.2.3, 1.3.3 external HKP interface format string issue
      ... Vendor URL: http://www.gnupg.org ... GnuPG is a complete and free replacement for PGP. ... on 1.3 devel branch external HKP interface is enabled by default ... web application security, source code review and third party product ...
      (Bugtraq)
    • MDKSA-2001:053-1 - gnupg update
      ... A format string vulnerability exists in gnupg 1.0.5 and previous ... You can get the GPG public key of the Linux-Mandrake Security Team at ... Mandrake Linux 8.0: ...
      (Bugtraq)
    • [ MDVSA-2014:127 ] gnupg
      ... Updated gnupg and gnupg2 packages fix security vulnerability: ... All packages are signed by Mandriva for security. ...
      (Bugtraq)
    • [ MDVSA-2014:180 ] gnupg
      ... Updated gnupg packages fix security vulnerability: ... All packages are signed by Mandriva for security. ...
      (Bugtraq)