Bug 710529 (CVE-2011-2207) - CVE-2011-2207 dirmngr: Improper dealing with blocking system calls, when verifying a certificate
Summary: CVE-2011-2207 dirmngr: Improper dealing with blocking system calls, when veri...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-2207
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-03 15:50 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-13 09:11:22 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-06-03 15:50:17 UTC
Dirmngr, server/client tool for managing and downloading CRLS, used
user land threads implementation (Pth) for wrapping up of system calls,
that may potentially block. A remote attacker could use this flaw to
cause a hang of an end-user application, relying of the proper services
of the dirmngr daemon, via a request to verify a specially-crafted
certificate.

Upstream bug report:
[1] https://bugs.g10code.com/gnupg/issue1313

Relevant public PoC file:
[2] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der

Upstream patch:
[3] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev

References:
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377

Comment 1 Jan Lieskovsky 2011-06-03 15:52:36 UTC
This issue affects the version of the dirmngr package, as shipped with
Red Hat Enterprise Linux 6.

--

This issue affects the version of the dirmngr package, as present within
EPEL-5 repository.

This issue affects the versions of the dirmngr package, as shipped with
Fedora release of 13, 14, and 15.

Note: Having said the above, please have a look at the following note regarding
      the impact too.

Comment 2 Jan Lieskovsky 2011-06-03 16:02:43 UTC
Issue impact:
=============
This seems to be very low security impact issue, if even that.

It is true, that dirmngr --daemon hangs for a bit (was less than a minute
in my testing) and that during that time period the server was unresponsive
even for pings (dirmngr-client --ping) requests, but after that minute the
certificate verification *always* ended with the following connection timeout
message (following scenario based on reproducer from [1]):

a) start the dirmngr daemon:
# dirmngr -vvv --daemon
DIRMNGR_INFO=/var/run/dirmngr/socket:26775:1; export DIRMNGR_INFO;

b) start the certificate verification
# time dirmngr-client DTAG_Issuing_CA_i01.der

c) in the meantime try to --ping the dirmngr daemon instance
# time dirmngr-client --ping

d) look at the time results
# time dirmngr-client DTAG_Issuing_CA_i01.der 
dirmngr-client: certificate check failed: Connection timed out

real	0m21.003s
user	0m0.000s
sys	0m0.001s

# time dirmngr-client --ping
dirmngr-client: a dirmngr daemon is up and running

real	0m17.100s
user	0m0.001s
sys	0m0.000s

But as noted in:
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5

"For example the KMail hung when trying to verify a signature
which has the certificate in the chain."

so this will need further research.

Comment 3 Jan Lieskovsky 2011-06-03 16:23:13 UTC
CVE Request / Discussion:
[6] http://www.openwall.com/lists/oss-security/2011/06/03/8

Comment 4 Huzaifa S. Sidhpurwala 2011-06-13 09:11:22 UTC
This is a client side DoS and does not seem like a security issue.

An attacker sends you a signed email. You try to verify the signature with an email client which uses dirmngr. This causes the daemon to hang and causes a denial of service to other local clients who want to use the service of dirmngr as well.

Comment 5 Vincent Danen 2011-07-06 21:08:33 UTC
This issue was assigned CVE-2011-2207:

http://seclists.org/oss-sec/2011/q2/621


Note You need to log in before you can comment on or make changes to this bug.