From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 30 Jul 2014 11:04:55 +0200 Subject: [PATCH] Fix possible realloc overflow for gpgsm and uiserver engines. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/engine-gpgsm.c (status_handler): * src/engine-uiserver.c (status_handler): -- After a realloc (realloc is also used for initial alloc) the allocated size if the buffer is not correctly recorded. Thus an overflow can be introduced by receiving data with different line lengths in a specific order. This is not easy exploitable because libassuan constructs the line. However a crash has been reported and thus it might be possible to constructs an exploit. CVE-id: CVE-2014-3564 Reported-by: Tomáš Trnka --- NEWS | 3 +++ src/engine-gpgsm.c | 2 +- src/engine-uiserver.c | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index c6a8f52e..ff75e9c8 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,9 @@ Noteworthy changes in version 1.5.1 (unreleased) [C__/A__/R_] ------------------------------------------------------------- + * Fix possible overflow in gpgsm and uiserver engines. + [CVE-2014-35640] + * Add support for GnuPG 2.1's --with-secret option. * Interface changes relative to the 1.5.0 release: diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c index 8ec15985..3a837577 100644 --- a/src/engine-gpgsm.c +++ b/src/engine-gpgsm.c @@ -836,7 +836,7 @@ status_handler (void *opaque, int fd) else { *aline = newline; - gpgsm->colon.attic.linesize += linelen + 1; + gpgsm->colon.attic.linesize = *alinelen + linelen + 1; } } if (!err) diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c index 2738c366..a7184b7a 100644 --- a/src/engine-uiserver.c +++ b/src/engine-uiserver.c @@ -698,7 +698,7 @@ status_handler (void *opaque, int fd) else { *aline = newline; - uiserver->colon.attic.linesize += linelen + 1; + uiserver->colon.attic.linesize = *alinelen + linelen + 1; } } if (!err)