891142 – (CVE-2012-6085) CVE-2012-6085 GnuPG: read_block() corrupt key input validation

Bug 891142 (CVE-2012-6085) - CVE-2012-6085 GnuPG: read_block() corrupt key input validation

Summary: CVE-2012-6085 GnuPG: read_block() corrupt key input validation

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-6085
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	895850 1015736 1015737 1015738 1015739 1015740 1015741 1015968 1016525
Blocks:	891147 1015687
TreeView+	depends on / blocked

Reported:	2013-01-02 01:30 UTC by Kurt Seifried
Modified:	2021-02-17 08:15 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-21 23:48:24 UTC
Embargoed:

Attachments	(Terms of Use)
GnuPG1-CVE-2012-6085.patch (1.50 KB, patch) 2013-01-02 19:07 UTC, Kurt Seifried	no flags	Details \| Diff
GnuPG2-CVE-2012-6085.patch (1.50 KB, patch) 2013-01-02 19:08 UTC, Kurt Seifried	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1458	0	normal	SHIPPED_LIVE	Moderate: gnupg security update	2013-10-24 19:22:57 UTC
Red Hat Product Errata	RHSA-2013:1459	0	normal	SHIPPED_LIVE	Moderate: gnupg2 security update	2013-10-24 19:22:46 UTC

Description Kurt Seifried 2013-01-02 01:30:44 UTC

KB Sriram (kbsriram) reports:

Versions of GnuPG <= 1.4.12 are vulnerable to memory access violations
and public keyring database corruption when importing public keys that
have been manipulated.

An OpenPGP key can be fuzzed in such a way that gpg segfaults (or has
other memory access violations) when importing the key.

The key may also be fuzzed such that gpg reports no errors when
examining the key (eg: "gpg the_bad_key.pkr") but importing it causes
gpg to corrupt its public keyring database.

The database corruption issue was first reported on Dec 6th, through
the gpg bug tracking system:

https://bugs.g10code.com/gnupg/issue1455

The subsequent memory access violation was discovered and reported in
a private email with the maintainer on Dec 20th.

A zip file with keys that causes segfaults and other errors is
available at http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip
and includes a log file that demonstrates the issues [on MacOS X and
gpg 1.4.11]

A new version of gpg -- 1.4.13 -- that addressed both these issues, was
independently released by the maintainer on Dec 20th.

The simplest solution is to upgrade all gpg installs to 1.4.13.

[Workarounds: A corrupted database may be recovered by manually
copying back the pubring.gpg~ backup file. Certain errors may also be prevented
by never directly importing a key, but first just "looking" at the key
(eg: "gpg bad_key.pkr"). However, this is not guaranteed to work in all cases;
though upgrading to 1.4.13 does work for the issues reported.]

Discovery:

The problem was discovered during a byte-fuzzing test of OpenPGP
certificates for an unrelated application. Each byte in turn was
replaced by a random byte, and the modified certificate fed to the
application to check that it handled errors correctly. Gpg was used as
a control, but it itself turned out to have errors related to packet
parsing. The errors are generally triggered when fuzzing the length
field of OpenPGP packets, which cascades into subsequent errors in
certain situations.

External references:
https://bugs.g10code.com/gnupg/issue1455
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=f0b33b6fb8e0586e9584a7a409dcc31263776a67

Comment 1 Adam Williamson 2013-01-02 17:58:49 UTC

Proposing as NTH, this is a security issue in a key package which is used during installation. But low impact, so not a blocker per the policy.

Comment 2 Tomas Mraz 2013-01-02 18:40:28 UTC

Of course gnupg2-2.0.19 (current latest upstream on 2.0 branch) is affected as well.

Comment 5 Kurt Seifried 2013-01-02 19:04:40 UTC

Please note for Fedora bug #889440 "gnupg-1.4.13 is available"

Comment 6 Kurt Seifried 2013-01-02 19:07:37 UTC

Created attachment 671621 [details]
GnuPG1-CVE-2012-6085.patch

Comment 7 Kurt Seifried 2013-01-02 19:08:14 UTC

Created attachment 671624 [details]
GnuPG2-CVE-2012-6085.patch

Comment 8 Kurt Seifried 2013-01-02 19:13:24 UTC

According to Werner Koch a 2.0.20 release of GnuPG is planned that will include the fix for this (498882296ffac7987c644aaf2a0aa108a2925471) but was delayed due to the holidays/etc.

Comment 9 Adam Williamson 2013-01-02 19:53:37 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=891401 used for F18 NTH purposes.

Comment 10 Fedora Update System 2013-01-10 03:08:44 UTC

gnupg2-2.0.19-7.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2013-01-10 03:09:41 UTC

gnupg-1.4.13-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-01-12 15:23:42 UTC

gnupg2-2.0.19-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Huzaifa S. Sidhpurwala 2013-01-16 06:30:19 UTC

Created gnupg2 tracking bugs for this issue

Affects: epel-5 [bug 895850]

Comment 15 Fedora Update System 2013-01-20 02:58:42 UTC

gnupg2-2.0.19-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-01-20 03:17:00 UTC

gnupg-1.4.13-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2013-01-20 03:37:28 UTC

gnupg-1.4.13-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Huzaifa S. Sidhpurwala 2013-10-08 10:15:14 UTC

Created gnupg2 tracking bugs for this issue:

Affects: fedora-all [bug 1015968]

Comment 21 Huzaifa S. Sidhpurwala 2013-10-08 10:15:22 UTC

Created gnupg tracking bugs for this issue:

Affects: fedora-all [bug 1016525]

Comment 23 errata-xmlrpc 2013-10-24 15:24:53 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1459 https://rhn.redhat.com/errata/RHSA-2013-1459.html

Comment 24 errata-xmlrpc 2013-10-24 15:26:51 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1458 https://rhn.redhat.com/errata/RHSA-2013-1458.html

Comment 25 Vincent Danen 2015-08-21 23:48:24 UTC

Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.