Bug 1178764

Summary: gnupg2: double free in p12_build()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bcl, carnil, falonso, rdieter, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: GnuPG 2.1.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-09 16:36:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1178774    
Bug Blocks: 1178767    

Description Vasyl Kaigorodov 2015-01-05 13:11:03 UTC
Double-free issue was reported [1] in gnupg2:

agent/minip12.c:
...
2178       cd = jnlib_iconv_open (charset, "utf-8");
2179       if (cd == (jnlib_iconv_t)(-1))
2180         {
2181           log_error ("can't convert passphrase to"
2182                      " requested charset `%s': %s\n",
2183                      charset, strerror (errno));
2184           gcry_free (pwbuf);
2185           goto failure;
2186         }
...
2268  failure:
2269   if (pwbuf)
2270     {
2271       wipememory (pwbuf, pwbufsize);
2272       gcry_free (pwbuf);
2273     }
...

gcry_free() is called twice on 'pwbuf'.

Upstream commit that fixes this:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ed8383c618e124cfa708c9ee87563fcdf2f4649c

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773472

Comment 1 Vasyl Kaigorodov 2015-03-09 16:36:39 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.