Bug Report: Client DOS in g10 keyserver search
Christoph M. Wintersteiger
christoph.wintersteiger at inf.ethz.ch
Thu Apr 26 11:34:13 CEST 2007
At least versions 1.4.4, 1.4.7 and 2.0.3 of GnuPG allow malicious
keyservers to crash a client when searching for keys. The bug is due to
an incorrect implementation of trailing whitespace removal from a
keyservers response.
The bug can be found in g10/keyserver.c at
line 1410 (version 1.4.4)
line 1415 (version 1.4.7)
line 1424 (version 2.0.3),
which reads
plen[ptr]='\0';
Obviously the two variables have been reversed and the line should be
corrected to
ptr[plen]='\0';
At least versions 2.95, 3.2.3 and 4.1.2 of GCC do not warn when casting
the unsigned to a pointer and the pointer to an index.
Regards,
CM Wintersteiger
More information about the Gnupg-devel
mailing list