Bug 1113267 (CVE-2014-3564) - CVE-2014-3564 gpgme: heap-based buffer overflow in gpgsm status handler
Summary: CVE-2014-3564 gpgme: heap-based buffer overflow in gpgsm status handler
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-3564
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1116412 (view as bug list)
Depends On: 1125170 1125172
Blocks: 1116412 1116414
TreeView+ depends on / blocked
 
Reported: 2014-06-25 19:35 UTC by Tomáš Trnka
Modified: 2019-09-29 13:18 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 06:58:54 UTC


Attachments (Terms of Use)
Patch fixing the overflow (862 bytes, patch)
2014-06-25 19:35 UTC, Tomáš Trnka
no flags Details | Diff

Description Tomáš Trnka 2014-06-25 19:35:57 UTC
Created attachment 912217 [details]
Patch fixing the overflow

Description of problem:
A bug in GPGME crashes my KMail reproducibly when opening the private key selection dialog twice in a row.

The crash is due to an overflow of the gpgsm->colon.attic.line buffer within status_handler() in engine-gpgsm.c. This buffer is getting (re)allocated at line 831 like this:

if (gpgsm->colon.attic.linesize < *alinelen + linelen + 1) {
    char *newline = realloc (*aline, *alinelen + linelen + 1);
    gpgsm->colon.attic.linesize += linelen + 1;
...

So in other words, the code allocates a buffer to be *alinelen + linelen + 1 bytes long, but then thinks its capacity is actually linesize + linelen + 1. This assumption is wrong if *alinelen (the number of bytes used in the buffer prior to reallocation) is lower than linesize (the total length of the buffer), or in other words, if the buffer is not completely full.

In that case, a fragment of the input line is subsequently written past the end of the buffer at line 856:

*dst = *src++;

I'm not sure if it is really exploitable, but in general this routine is processing arbitrary data coming from certificates the user happens to encounter somehow, so one could possibly exploit this using specially crafted certificate or something like that.

Attached is a trivial patch fixing the issue (works fine for me during daily use of KMail with e-mail signing/encryption).

Version-Release number of selected component (if applicable):
gpgme-1.3.2-4.fc20.x86_64

How reproducible:
Perfectly reproducible for me, but as the bug is data-dependent and I'm not going to publish my keys, I don't have a simple testcase. (I don't think it matters at all as the bug is quite obvious just from the source.)

Comment 5 Stefan Cornelius 2014-07-29 09:52:46 UTC
I've assigned this CVE-2014-3564 and contacted Werner Koch.

Comment 6 Stefan Cornelius 2014-07-31 08:35:08 UTC
This is now fixed in gpgme 1.5.1.

External references:

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77



Acknowledgements:

Red Hat would like to thank Tomáš Trnka for reporting this issue.

Comment 7 Stefan Cornelius 2014-07-31 08:48:21 UTC
E-Mail to OSS-Security:
http://www.openwall.com/lists/oss-security/2014/07/31/5

Comment 8 Stefan Cornelius 2014-07-31 08:49:34 UTC
Created gpgme tracking bugs for this issue:

Affects: fedora-all [bug 1125170]

Comment 9 Stefan Cornelius 2014-07-31 08:52:12 UTC
Created gpgme tracking bugs for this issue:

Affects: epel-5 [bug 1125172]

Comment 10 Fedora Update System 2014-12-22 02:37:49 UTC
gpgme-1.4.3-5.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-12-27 09:25:17 UTC
gpgme-1.3.2-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Vasyl Kaigorodov 2015-02-05 08:16:42 UTC
*** Bug 1116412 has been marked as a duplicate of this bug. ***

Comment 13 Vincent Danen 2015-08-22 06:58:42 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.