GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB; see $URL and the surrounding email threads for more details and test-cases. The reporter has some proposed patches at https://dev.gnupg.org/D556 (and in oss-security / gnupg-devel threads); mostly these flag/reject compressed packets and indeterminate-length packets in contexts where they make no sense and arguably are not within the spec (certificates, keys, detached signatures).
Created gnupg1 tracking bugs for this issue: Affects: epel-all [bug 2127013] Affects: fedora-all [bug 2127014] Created gnupg2 tracking bugs for this issue: Affects: fedora-all [bug 2127015]
The upstream bug [0] with discussion from May (!) says the upstream is not going to implement/merge this change. From what I read on the oss-security [1], there is a reproducer and claims of DoS attacks. My reading is that this is not infinite recursion, but only slow processing of malformed inputs, which I consider low priority right now. [1] https://dev.gnupg.org/T5993 [1] https://marc.info/?l=oss-security&m=165696590211434&w=4
(In reply to Jakub Jelen from comment #3) > The upstream bug [0] with discussion from May (!) says the upstream is not > going to implement/merge this change. From what I read on the oss-security > [1], there is a reproducer and claims of DoS attacks. My reading is that > this is not infinite recursion, but only slow processing of malformed > inputs, which I consider low priority right now. > > [1] https://dev.gnupg.org/T5993 > [1] https://marc.info/?l=oss-security&m=165696590211434&w=4 I agree. I am reluctant to backport things that upstream hasn't committed to fixing/changing and won't be doing anything for this on gpg1 until there is upstream consensus.