From 344b548dc71657d0285d93f78f17a2663b5e586f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 6 Jun 2018 15:46:24 +0200 Subject: gpg: Also detect a plaintext packet before an encrypted packet. * g10/mainproc.c (proc_encrypted): Print warning and later force an error. -- Note that when this error is triggered the plaintext from the literal data packet has already been outputted before the BEGIN_DECRYPTION status line. We fail only later to get more information. Callers need to check and act upon the decryption error code anyway. Thanks to Marcus for pointing out this case. GnuPG-bug-id: 4000 Signed-off-by: Werner Koch --- g10/mainproc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'g10/mainproc.c') diff --git a/g10/mainproc.c b/g10/mainproc.c index 5689d73a8..d2ceec2fd 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -615,6 +615,14 @@ static void proc_encrypted (CTX c, PACKET *pkt) { int result = 0; + int early_plaintext = literals_seen; + + if (early_plaintext) + { + log_info (_("WARNING: multiple plaintexts seen\n")); + write_status_errcode ("decryption.early_plaintext", GPG_ERR_BAD_DATA); + /* We fail only later so that we can print some more info first. */ + } if (!opt.quiet) { @@ -734,6 +742,10 @@ proc_encrypted (CTX c, PACKET *pkt) if (!result) result = decrypt_data (c->ctrl, c, pkt->pkt.encrypted, c->dek ); + /* Trigger the deferred error. */ + if (!result && early_plaintext) + result = gpg_error (GPG_ERR_BAD_DATA); + if (result == -1) ; else if (!result -- cgit v1.2.3 From 13f135c7a252cc46cff96e75968d92b6dc8dce1b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 8 Jun 2018 10:45:21 +0200 Subject: gpg: Sanitize diagnostic with the original file name. * g10/mainproc.c (proc_plaintext): Sanitize verbose output. -- This fixes a forgotten sanitation of user supplied data in a verbose mode diagnostic. The mention CVE is about using this to inject status-fd lines into the stderr output. Other harm good as well be done. Note that GPGME based applications are not affected because GPGME does not fold status output into stderr. CVE-id: CVE-2018-12020 GnuPG-bug-id: 4012 --- g10/mainproc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'g10/mainproc.c') diff --git a/g10/mainproc.c b/g10/mainproc.c index d2ceec2fd..a9da08f74 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -851,7 +851,14 @@ proc_plaintext( CTX c, PACKET *pkt ) if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8)) log_info (_("Note: sender requested \"for-your-eyes-only\"\n")); else if (opt.verbose) - log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name); + { + /* We don't use print_utf8_buffer because that would require a + * string change which we don't want in 2.2. It is also not + * clear whether the filename is always utf-8 encoded. */ + char *tmp = make_printable_string (pt->name, pt->namelen, 0); + log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); + xfree (tmp); + } free_md_filter_context (&c->mfx); if (gcry_md_open (&c->mfx.md, 0, 0)) -- cgit v1.2.3 From f7526c7bc754acf68bde0b79c785e875a9365d60 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 5 Jul 2018 20:55:32 +0200 Subject: gpg: Prepare for signatures with ISSUER_FPR but without ISSUER. * g10/getkey.c (get_pubkey_for_sig): New. (get_pubkeyblock_for_sig): New. * g10/mainproc.c (issuer_fpr_raw): Give global scope. (check_sig_and_print): Use get_pubkeyblock_for_sig. * g10/pkclist.c (check_signatures_trust): Use get_pubkey_for_sig. * g10/sig-check.c (check_signature2): Ditto. (check_signature_over_key_or_uid): Ditto. -- GnuPG-bug-id: 4046 The whole getkey stuff is still a mess with way to much duplication and missing caching of already fetched data. Signed-off-by: Werner Koch --- g10/mainproc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'g10/mainproc.c') diff --git a/g10/mainproc.c b/g10/mainproc.c index a9da08f74..1d56f1f30 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -1751,7 +1751,7 @@ akl_has_wkd_method (void) /* Return the ISSUER fingerprint buffer and its lenbgth at R_LEN. * Returns NULL if not available. The returned buffer is valid as * long as SIG is not modified. */ -static const byte * +const byte * issuer_fpr_raw (PKT_signature *sig, size_t *r_len) { const byte *p; @@ -1768,7 +1768,7 @@ issuer_fpr_raw (PKT_signature *sig, size_t *r_len) } -/* Return the ISSUER fingerprint string in human readbale format if +/* Return the ISSUER fingerprint string in human readable format if * available. Caller must release the string. */ /* FIXME: Move to another file. */ char * @@ -2134,7 +2134,7 @@ check_sig_and_print (CTX c, kbnode_t node) * keyblock has already been fetched. Thus we could use the * fingerprint or PK itself to lookup the entire keyblock. That * would best be done with a cache. */ - keyblock = get_pubkeyblock (c->ctrl, sig->keyid); + keyblock = get_pubkeyblock_for_sig (c->ctrl, sig); snprintf (keyid_str, sizeof keyid_str, "%08lX%08lX [uncertain] ", (ulong)sig->keyid[0], (ulong)sig->keyid[1]); -- cgit v1.2.3