Bug 710529 (CVE-2011-2207) - CVE-2011-2207 dirmngr: Improper dealing with blocking system calls, when verifying a certificate
Summary: CVE-2011-2207 dirmngr: Improper dealing with blocking system calls, when veri...
Alias: CVE-2011-2207
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2011-06-03 15:50 UTC by Jan Lieskovsky
Modified: 2021-02-24 15:18 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-06-13 09:11:22 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-06-03 15:50:17 UTC
Dirmngr, server/client tool for managing and downloading CRLS, used
user land threads implementation (Pth) for wrapping up of system calls,
that may potentially block. A remote attacker could use this flaw to
cause a hang of an end-user application, relying of the proper services
of the dirmngr daemon, via a request to verify a specially-crafted

Upstream bug report:
[1] https://bugs.g10code.com/gnupg/issue1313

Relevant public PoC file:
[2] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der

Upstream patch:
[3] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev

[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377

Comment 1 Jan Lieskovsky 2011-06-03 15:52:36 UTC
This issue affects the version of the dirmngr package, as shipped with
Red Hat Enterprise Linux 6.


This issue affects the version of the dirmngr package, as present within
EPEL-5 repository.

This issue affects the versions of the dirmngr package, as shipped with
Fedora release of 13, 14, and 15.

Note: Having said the above, please have a look at the following note regarding
      the impact too.

Comment 2 Jan Lieskovsky 2011-06-03 16:02:43 UTC
Issue impact:
This seems to be very low security impact issue, if even that.

It is true, that dirmngr --daemon hangs for a bit (was less than a minute
in my testing) and that during that time period the server was unresponsive
even for pings (dirmngr-client --ping) requests, but after that minute the
certificate verification *always* ended with the following connection timeout
message (following scenario based on reproducer from [1]):

a) start the dirmngr daemon:
# dirmngr -vvv --daemon
DIRMNGR_INFO=/var/run/dirmngr/socket:26775:1; export DIRMNGR_INFO;

b) start the certificate verification
# time dirmngr-client DTAG_Issuing_CA_i01.der

c) in the meantime try to --ping the dirmngr daemon instance
# time dirmngr-client --ping

d) look at the time results
# time dirmngr-client DTAG_Issuing_CA_i01.der 
dirmngr-client: certificate check failed: Connection timed out

real	0m21.003s
user	0m0.000s
sys	0m0.001s

# time dirmngr-client --ping
dirmngr-client: a dirmngr daemon is up and running

real	0m17.100s
user	0m0.001s
sys	0m0.000s

But as noted in:
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5

"For example the KMail hung when trying to verify a signature
which has the certificate in the chain."

so this will need further research.

Comment 3 Jan Lieskovsky 2011-06-03 16:23:13 UTC
CVE Request / Discussion:
[6] http://www.openwall.com/lists/oss-security/2011/06/03/8

Comment 4 Huzaifa S. Sidhpurwala 2011-06-13 09:11:22 UTC
This is a client side DoS and does not seem like a security issue.

An attacker sends you a signed email. You try to verify the signature with an email client which uses dirmngr. This causes the daemon to hang and causes a denial of service to other local clients who want to use the service of dirmngr as well.

Comment 5 Vincent Danen 2011-07-06 21:08:33 UTC
This issue was assigned CVE-2011-2207:


Comment 6 Doran Moppert 2020-02-11 00:27:40 UTC

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.

Note You need to log in before you can comment on or make changes to this bug.