Fix possible realloc overflow for gpgsm and uiserver engines.
* src/engine-gpgsm.c (status_handler): * src/engine-uiserver.c (status_handler): -- After a realloc (realloc is also used for initial alloc) the allocated size if the buffer is not correctly recorded. Thus an overflow can be introduced by receiving data with different line lengths in a specific order. This is not easy exploitable because libassuan constructs the line. However a crash has been reported and thus it might be possible to constructs an exploit. CVE-id: CVE-2014-3564 Reported-by: Tomáš Trnka
This commit is contained in:
parent
68116fa5f6
commit
2cbd76f791
3
NEWS
3
NEWS
@ -1,6 +1,9 @@
|
|||||||
Noteworthy changes in version 1.5.1 (unreleased) [C__/A__/R_]
|
Noteworthy changes in version 1.5.1 (unreleased) [C__/A__/R_]
|
||||||
-------------------------------------------------------------
|
-------------------------------------------------------------
|
||||||
|
|
||||||
|
* Fix possible overflow in gpgsm and uiserver engines.
|
||||||
|
[CVE-2014-35640]
|
||||||
|
|
||||||
* Add support for GnuPG 2.1's --with-secret option.
|
* Add support for GnuPG 2.1's --with-secret option.
|
||||||
|
|
||||||
* Interface changes relative to the 1.5.0 release:
|
* Interface changes relative to the 1.5.0 release:
|
||||||
|
@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
*aline = newline;
|
*aline = newline;
|
||||||
gpgsm->colon.attic.linesize += linelen + 1;
|
gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!err)
|
if (!err)
|
||||||
|
@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
*aline = newline;
|
*aline = newline;
|
||||||
uiserver->colon.attic.linesize += linelen + 1;
|
uiserver->colon.attic.linesize = *alinelen + linelen + 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!err)
|
if (!err)
|
||||||
|
Loading…
Reference in New Issue
Block a user