Bug 1113267 (CVE-2014-3564)
| Summary: | CVE-2014-3564 gpgme: heap-based buffer overflow in gpgsm status handler | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomáš Trnka <tomastrnka> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | unspecified | CC: | carnil, fkluknav, jrusnack, scorneli, security-response-team, slukasik, vkaigoro, vkrizan | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Release Note | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-08-22 06:58:54 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1125170, 1125172 | ||||||
| Bug Blocks: | 1116412, 1116414 | ||||||
| Attachments: |
|
||||||
I've assigned this CVE-2014-3564 and contacted Werner Koch. This is now fixed in gpgme 1.5.1. External references: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Acknowledgements: Red Hat would like to thank Tomáš Trnka for reporting this issue. E-Mail to OSS-Security: http://www.openwall.com/lists/oss-security/2014/07/31/5 Created gpgme tracking bugs for this issue: Affects: fedora-all [bug 1125170] Created gpgme tracking bugs for this issue: Affects: epel-5 [bug 1125172] gpgme-1.4.3-5.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. gpgme-1.3.2-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1116412 has been marked as a duplicate of this bug. *** Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |
Created attachment 912217 [details] Patch fixing the overflow Description of problem: A bug in GPGME crashes my KMail reproducibly when opening the private key selection dialog twice in a row. The crash is due to an overflow of the gpgsm->colon.attic.line buffer within status_handler() in engine-gpgsm.c. This buffer is getting (re)allocated at line 831 like this: if (gpgsm->colon.attic.linesize < *alinelen + linelen + 1) { char *newline = realloc (*aline, *alinelen + linelen + 1); gpgsm->colon.attic.linesize += linelen + 1; ... So in other words, the code allocates a buffer to be *alinelen + linelen + 1 bytes long, but then thinks its capacity is actually linesize + linelen + 1. This assumption is wrong if *alinelen (the number of bytes used in the buffer prior to reallocation) is lower than linesize (the total length of the buffer), or in other words, if the buffer is not completely full. In that case, a fragment of the input line is subsequently written past the end of the buffer at line 856: *dst = *src++; I'm not sure if it is really exploitable, but in general this routine is processing arbitrary data coming from certificates the user happens to encounter somehow, so one could possibly exploit this using specially crafted certificate or something like that. Attached is a trivial patch fixing the issue (works fine for me during daily use of KMail with e-mail signing/encryption). Version-Release number of selected component (if applicable): gpgme-1.3.2-4.fc20.x86_64 How reproducible: Perfectly reproducible for me, but as the bug is data-dependent and I'm not going to publish my keys, I don't have a simple testcase. (I don't think it matters at all as the bug is quite obvious just from the source.)