A flaw was found in glibcrypt 1.9.0. A heap based buffer overflow in the block buffer management code may lead to memory corruption before any verification is made or signature is validated. Upstream patch: https://dev.gnupg.org/rC512c0c75276949f13b6373b5c04f7065af750b08 References: https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html https://twitter.com/filosottile/status/1355124205080240131?s=21
Created mingw-libgcrypt tracking bugs for this issue: Affects: fedora-all [bug 1923213]
Created libgcrypt tracking bugs for this issue: Affects: fedora-all [bug 1923267]
Statement: No Red Hat products are affected by this flaw, as the vulnerable version of libgcrypt (1.9.0) has not been shipped in any products.
External References: https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
Flaw technical summary: The _gcry_md_block_write() function in file cipher/hash-common.c is used for hashing. Specifically, it is used to write a chunk of data to the transform function of a hash algorithm[1]. libgcrypt has a partial mitigation to protect against timing side-channel attacks by sometimes writing (via call to gcry_md_write()) after the context is finalized. In this case, it is possible for hd->count to be greater than the blocksize, resulting in an underflow in calculation blocksize - hd->count, and finally leading to a heap-buffer-overflow -> out-of-bounds write of payload data supplied by an attacker in the subsequent call to buf_cpy(). The upstream patch inserts a check for if(hd->count > blocksize) and sets hd->count to 0 in order to prevent this flaw. Note that Cryptographer Filipo Valsorda expresses some concern about the patch on [2]. 1. https://dev.gnupg.org/source/libgcrypt/browse/master/cipher/hash-common.c;512c0c75276949f13b6373b5c04f7065af750b08$113 2. https://twitter.com/FiloSottile/status/1355134373415280644