|Summary:||CVE-2011-2207 dirmngr: Improper dealing with blocking system calls, when verifying a certificate|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Version:||unspecified||CC:||rdieter, tmraz, vdanen|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-06-13 09:11:22 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Jan Lieskovsky 2011-06-03 15:50:17 UTC
Dirmngr, server/client tool for managing and downloading CRLS, used user land threads implementation (Pth) for wrapping up of system calls, that may potentially block. A remote attacker could use this flaw to cause a hang of an end-user application, relying of the proper services of the dirmngr daemon, via a request to verify a specially-crafted certificate. Upstream bug report:  https://bugs.g10code.com/gnupg/issue1313 Relevant public PoC file:  https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der Upstream patch:  http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377
Comment 1 Jan Lieskovsky 2011-06-03 15:52:36 UTC
This issue affects the version of the dirmngr package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the version of the dirmngr package, as present within EPEL-5 repository. This issue affects the versions of the dirmngr package, as shipped with Fedora release of 13, 14, and 15. Note: Having said the above, please have a look at the following note regarding the impact too.
Comment 2 Jan Lieskovsky 2011-06-03 16:02:43 UTC
Issue impact: ============= This seems to be very low security impact issue, if even that. It is true, that dirmngr --daemon hangs for a bit (was less than a minute in my testing) and that during that time period the server was unresponsive even for pings (dirmngr-client --ping) requests, but after that minute the certificate verification *always* ended with the following connection timeout message (following scenario based on reproducer from ): a) start the dirmngr daemon: # dirmngr -vvv --daemon DIRMNGR_INFO=/var/run/dirmngr/socket:26775:1; export DIRMNGR_INFO; b) start the certificate verification # time dirmngr-client DTAG_Issuing_CA_i01.der c) in the meantime try to --ping the dirmngr daemon instance # time dirmngr-client --ping d) look at the time results # time dirmngr-client DTAG_Issuing_CA_i01.der dirmngr-client: certificate check failed: Connection timed out real 0m21.003s user 0m0.000s sys 0m0.001s # time dirmngr-client --ping dirmngr-client: a dirmngr daemon is up and running real 0m17.100s user 0m0.001s sys 0m0.000s But as noted in:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5 "For example the KMail hung when trying to verify a signature which has the certificate in the chain." so this will need further research.
Comment 3 Jan Lieskovsky 2011-06-03 16:23:13 UTC
CVE Request / Discussion:  http://www.openwall.com/lists/oss-security/2011/06/03/8
Comment 4 Huzaifa S. Sidhpurwala 2011-06-13 09:11:22 UTC
This is a client side DoS and does not seem like a security issue. An attacker sends you a signed email. You try to verify the signature with an email client which uses dirmngr. This causes the daemon to hang and causes a denial of service to other local clients who want to use the service of dirmngr as well.