Red Hat Bugzilla – Bug 710529
CVE-2011-2207 dirmngr: Improper dealing with blocking system calls, when verifying a certificate
Last modified: 2011-07-06 17:08:33 EDT
Dirmngr, server/client tool for managing and downloading CRLS, used user land threads implementation (Pth) for wrapping up of system calls, that may potentially block. A remote attacker could use this flaw to cause a hang of an end-user application, relying of the proper services of the dirmngr daemon, via a request to verify a specially-crafted certificate. Upstream bug report: [1] https://bugs.g10code.com/gnupg/issue1313 Relevant public PoC file: [2] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der Upstream patch: [3] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev References: [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377
This issue affects the version of the dirmngr package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the version of the dirmngr package, as present within EPEL-5 repository. This issue affects the versions of the dirmngr package, as shipped with Fedora release of 13, 14, and 15. Note: Having said the above, please have a look at the following note regarding the impact too.
Issue impact: ============= This seems to be very low security impact issue, if even that. It is true, that dirmngr --daemon hangs for a bit (was less than a minute in my testing) and that during that time period the server was unresponsive even for pings (dirmngr-client --ping) requests, but after that minute the certificate verification *always* ended with the following connection timeout message (following scenario based on reproducer from [1]): a) start the dirmngr daemon: # dirmngr -vvv --daemon DIRMNGR_INFO=/var/run/dirmngr/socket:26775:1; export DIRMNGR_INFO; b) start the certificate verification # time dirmngr-client DTAG_Issuing_CA_i01.der c) in the meantime try to --ping the dirmngr daemon instance # time dirmngr-client --ping d) look at the time results # time dirmngr-client DTAG_Issuing_CA_i01.der dirmngr-client: certificate check failed: Connection timed out real 0m21.003s user 0m0.000s sys 0m0.001s # time dirmngr-client --ping dirmngr-client: a dirmngr daemon is up and running real 0m17.100s user 0m0.001s sys 0m0.000s But as noted in: [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5 "For example the KMail hung when trying to verify a signature which has the certificate in the chain." so this will need further research.
CVE Request / Discussion: [6] http://www.openwall.com/lists/oss-security/2011/06/03/8
This is a client side DoS and does not seem like a security issue. An attacker sends you a signed email. You try to verify the signature with an email client which uses dirmngr. This causes the daemon to hang and causes a denial of service to other local clients who want to use the service of dirmngr as well.
This issue was assigned CVE-2011-2207: http://seclists.org/oss-sec/2011/q2/621