diff options
| author | Werner Koch <[email protected]> | 2025-10-23 09:36:04 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2025-10-23 09:37:59 +0000 |
| commit | 115d138ba599328005c5321c0ef9f00355838ca9 (patch) | |
| tree | 9407edab20ceaa21df385c33bbd12d0b5048674c /common/t-ssh-utils.c | |
| parent | Post release updates (diff) | |
| download | gnupg-115d138ba599328005c5321c0ef9f00355838ca9.tar.gz gnupg-115d138ba599328005c5321c0ef9f00355838ca9.zip | |
gpg: Fix possible memory corruption in the armor parser.
* g10/armor.c (armor_filter): Fix faulty double increment.
* common/iobuf.c (underflow_target): Assert that the filter
implementations behave well.
--
This fixes a bug in a code path which can only be reached with special
crafted input data and would then error out at an upper layer due to
corrupt input (every second byte in the buffer is unitialized
garbage). No fuzzing has yet hit this case and we don't have a test
case for this code path. However memory corruption can never be
tolerated as it always has the protential for remode code execution.
Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
which fixed
Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
The bug was introduced on 1999-01-07 by me:
* armor.c: Rewrote large parts.
which I fixed on 1999-03-02 but missed to fix the other case:
* armor.c (armor_filter): Fixed armor bypassing.
Below is base64+gzipped test data which can be used with valgrind to
show access to uninitalized memory in write(2) in the unpatched code.
--8<---------------cut here---------------start------------->8---
H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
--8<---------------cut here---------------end--------------->8---
Diffstat (limited to 'common/t-ssh-utils.c')
0 files changed, 0 insertions, 0 deletions