|
|
|
|
| |
GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.
GnuPG has external HKP inteface which is marked as experimental and not enabled by default in 1.2 stable branch and to use it you should compile GnuPG with '--enable-external-hkp' configuration option. On 1.3 devel branch external HKP interface is enabled by default and to disable you should compile GnuPG with '--disable-hkp' configuration option.
When the external HKP interface is enabled, GnuPG will make use of 'gpgkeys_hkp' utility for keyserver accesses. There exists a format string vulnerability in 'gpgkeys_hkp' utility which would allow a malicious keyserver in the worst case to execute an arbitrary code on the user's machine. |
| |
Credit:
The advisory is available at: http://www.s-quadra.com/advisories/Adv-20031203.txt.
The information has been provided by S-Quadra Security Research.
|
| |
Vulnerable systems:
* GnuPG version 1.2.3
* GnuPG version 1.3.3
The offending code can be found in keyserver/gpgkeys_hkp.c:
int get_key(char *getkey)
{
int rc,gotit=0;
char search[29];
char *request;
struct http_context hd;
...
if(verbose>2)
fprintf(console,"gpgkeys: HTTP URL is \"%s\"\n",request);
rc=http_open_document(&hd,request,http_flags);
if(rc!=0)
{
fprintf(console,"gpgkeys: HKP fetch error: %s\n",
rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc));
fprintf(output,"KEY 0x%s FAILED\n",getkey);
}
else
{
unsigned int maxlen=1024,buflen;
byte *line=NULL;
while(iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen))
{
maxlen=1024;
if(gotit)
{
// S-Quadra: here is where format string bug lives
fprintf(output,line);
if(strcmp(line,"-----END PGP PUBLIC KEY BLOCK-----\n")==0)
break;
}
else
if(strcmp(line,"-----BEGIN PGP PUBLIC KEY BLOCK-----\n")==0)
{
// S-Quadra: here is where format string bug lives
fprintf(output,line);
gotit=1;
}
}
...
return 0;
}
Fix information:
S-Quadra alerted GnuPG development team to this issue on 27th November 2003. For 1.2 branch fix available in CVS, latest devel version 1.3.4 also contains fix for the reported bug.
|
|
|
|
|
|
|
|
|
|
