- CVE-2006-6235
This commit is contained in:
parent
aea2610802
commit
01e0edd077
260
gnupg-2.0.1-CVE-2006-6235.patch
Normal file
260
gnupg-2.0.1-CVE-2006-6235.patch
Normal file
@ -0,0 +1,260 @@
|
|||||||
|
This is a patch against GnuPG 2.0.1. Change the directory to g10/ and
|
||||||
|
apply this patch.
|
||||||
|
|
||||||
|
2006-12-02 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* encr-data.c: Allocate DFX context on the heap and not on the
|
||||||
|
stack. Changes at several places. Fixes CVE-2006-6235.
|
||||||
|
|
||||||
|
|
||||||
|
Index: encr-data.c
|
||||||
|
===================================================================
|
||||||
|
--- encr-data.c (revision 4352)
|
||||||
|
+++ encr-data.c (working copy)
|
||||||
|
@@ -39,16 +39,37 @@
|
||||||
|
static int decode_filter ( void *opaque, int control, IOBUF a,
|
||||||
|
byte *buf, size_t *ret_len);
|
||||||
|
|
||||||
|
-typedef struct
|
||||||
|
+typedef struct decode_filter_context_s
|
||||||
|
{
|
||||||
|
gcry_cipher_hd_t cipher_hd;
|
||||||
|
gcry_md_hd_t mdc_hash;
|
||||||
|
char defer[22];
|
||||||
|
int defer_filled;
|
||||||
|
int eof_seen;
|
||||||
|
-} decode_filter_ctx_t;
|
||||||
|
+ int refcount;
|
||||||
|
+} *decode_filter_ctx_t;
|
||||||
|
|
||||||
|
|
||||||
|
+/* Helper to release the decode context. */
|
||||||
|
+static void
|
||||||
|
+release_dfx_context (decode_filter_ctx_t dfx)
|
||||||
|
+{
|
||||||
|
+ if (!dfx)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ assert (dfx->refcount);
|
||||||
|
+ if ( !--dfx->refcount )
|
||||||
|
+ {
|
||||||
|
+ gcry_cipher_close (dfx->cipher_hd);
|
||||||
|
+ dfx->cipher_hd = NULL;
|
||||||
|
+ gcry_md_close (dfx->mdc_hash);
|
||||||
|
+ dfx->mdc_hash = NULL;
|
||||||
|
+ xfree (dfx);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/****************
|
||||||
|
* Decrypt the data, specified by ED with the key DEK.
|
||||||
|
*/
|
||||||
|
@@ -62,7 +83,11 @@
|
||||||
|
unsigned blocksize;
|
||||||
|
unsigned nprefix;
|
||||||
|
|
||||||
|
- memset( &dfx, 0, sizeof dfx );
|
||||||
|
+ dfx = xtrycalloc (1, sizeof *dfx);
|
||||||
|
+ if (!dfx)
|
||||||
|
+ return gpg_error_from_syserror ();
|
||||||
|
+ dfx->refcount = 1;
|
||||||
|
+
|
||||||
|
if ( opt.verbose && !dek->algo_info_printed )
|
||||||
|
{
|
||||||
|
const char *s = gcry_cipher_algo_name (dek->algo);
|
||||||
|
@@ -77,20 +102,20 @@
|
||||||
|
goto leave;
|
||||||
|
blocksize = gcry_cipher_get_algo_blklen (dek->algo);
|
||||||
|
if ( !blocksize || blocksize > 16 )
|
||||||
|
- log_fatal("unsupported blocksize %u\n", blocksize );
|
||||||
|
+ log_fatal ("unsupported blocksize %u\n", blocksize );
|
||||||
|
nprefix = blocksize;
|
||||||
|
if ( ed->len && ed->len < (nprefix+2) )
|
||||||
|
BUG();
|
||||||
|
|
||||||
|
if ( ed->mdc_method )
|
||||||
|
{
|
||||||
|
- if (gcry_md_open (&dfx.mdc_hash, ed->mdc_method, 0 ))
|
||||||
|
+ if (gcry_md_open (&dfx->mdc_hash, ed->mdc_method, 0 ))
|
||||||
|
BUG ();
|
||||||
|
if ( DBG_HASHING )
|
||||||
|
- gcry_md_start_debug (dfx.mdc_hash, "checkmdc");
|
||||||
|
+ gcry_md_start_debug (dfx->mdc_hash, "checkmdc");
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = gcry_cipher_open (&dfx.cipher_hd, dek->algo,
|
||||||
|
+ rc = gcry_cipher_open (&dfx->cipher_hd, dek->algo,
|
||||||
|
GCRY_CIPHER_MODE_CFB,
|
||||||
|
(GCRY_CIPHER_SECURE
|
||||||
|
| ((ed->mdc_method || dek->algo >= 100)?
|
||||||
|
@@ -104,7 +129,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
/* log_hexdump( "thekey", dek->key, dek->keylen );*/
|
||||||
|
- rc = gcry_cipher_setkey (dfx.cipher_hd, dek->key, dek->keylen);
|
||||||
|
+ rc = gcry_cipher_setkey (dfx->cipher_hd, dek->key, dek->keylen);
|
||||||
|
if ( gpg_err_code (rc) == GPG_ERR_WEAK_KEY )
|
||||||
|
{
|
||||||
|
log_info(_("WARNING: message was encrypted with"
|
||||||
|
@@ -123,7 +148,7 @@
|
||||||
|
goto leave;
|
||||||
|
}
|
||||||
|
|
||||||
|
- gcry_cipher_setiv (dfx.cipher_hd, NULL, 0);
|
||||||
|
+ gcry_cipher_setiv (dfx->cipher_hd, NULL, 0);
|
||||||
|
|
||||||
|
if ( ed->len )
|
||||||
|
{
|
||||||
|
@@ -144,8 +169,8 @@
|
||||||
|
temp[i] = c;
|
||||||
|
}
|
||||||
|
|
||||||
|
- gcry_cipher_decrypt (dfx.cipher_hd, temp, nprefix+2, NULL, 0);
|
||||||
|
- gcry_cipher_sync (dfx.cipher_hd);
|
||||||
|
+ gcry_cipher_decrypt (dfx->cipher_hd, temp, nprefix+2, NULL, 0);
|
||||||
|
+ gcry_cipher_sync (dfx->cipher_hd);
|
||||||
|
p = temp;
|
||||||
|
/* log_hexdump( "prefix", temp, nprefix+2 ); */
|
||||||
|
if (dek->symmetric
|
||||||
|
@@ -155,17 +180,18 @@
|
||||||
|
goto leave;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ( dfx.mdc_hash )
|
||||||
|
- gcry_md_write (dfx.mdc_hash, temp, nprefix+2);
|
||||||
|
-
|
||||||
|
+ if ( dfx->mdc_hash )
|
||||||
|
+ gcry_md_write (dfx->mdc_hash, temp, nprefix+2);
|
||||||
|
+
|
||||||
|
+ dfx->refcount++;
|
||||||
|
if ( ed->mdc_method )
|
||||||
|
- iobuf_push_filter( ed->buf, mdc_decode_filter, &dfx );
|
||||||
|
+ iobuf_push_filter ( ed->buf, mdc_decode_filter, dfx );
|
||||||
|
else
|
||||||
|
- iobuf_push_filter( ed->buf, decode_filter, &dfx );
|
||||||
|
+ iobuf_push_filter ( ed->buf, decode_filter, dfx );
|
||||||
|
|
||||||
|
proc_packets ( procctx, ed->buf );
|
||||||
|
ed->buf = NULL;
|
||||||
|
- if ( ed->mdc_method && dfx.eof_seen == 2 )
|
||||||
|
+ if ( ed->mdc_method && dfx->eof_seen == 2 )
|
||||||
|
rc = gpg_error (GPG_ERR_INV_PACKET);
|
||||||
|
else if ( ed->mdc_method )
|
||||||
|
{
|
||||||
|
@@ -184,26 +210,28 @@
|
||||||
|
bytes are appended. */
|
||||||
|
int datalen = gcry_md_get_algo_dlen (ed->mdc_method);
|
||||||
|
|
||||||
|
- gcry_cipher_decrypt (dfx.cipher_hd, dfx.defer, 22, NULL, 0);
|
||||||
|
- gcry_md_write (dfx.mdc_hash, dfx.defer, 2);
|
||||||
|
- gcry_md_final (dfx.mdc_hash);
|
||||||
|
+ assert (dfx->cipher_hd);
|
||||||
|
+ assert (dfx->mdc_hash);
|
||||||
|
+ gcry_cipher_decrypt (dfx->cipher_hd, dfx->defer, 22, NULL, 0);
|
||||||
|
+ gcry_md_write (dfx->mdc_hash, dfx->defer, 2);
|
||||||
|
+ gcry_md_final (dfx->mdc_hash);
|
||||||
|
|
||||||
|
- if (dfx.defer[0] != '\xd3' || dfx.defer[1] != '\x14' )
|
||||||
|
+ if (dfx->defer[0] != '\xd3' || dfx->defer[1] != '\x14' )
|
||||||
|
{
|
||||||
|
log_error("mdc_packet with invalid encoding\n");
|
||||||
|
rc = gpg_error (GPG_ERR_INV_PACKET);
|
||||||
|
}
|
||||||
|
else if (datalen != 20
|
||||||
|
- || memcmp (gcry_md_read (dfx.mdc_hash, 0),dfx.defer+2,datalen))
|
||||||
|
+ || memcmp (gcry_md_read (dfx->mdc_hash, 0),
|
||||||
|
+ dfx->defer+2,datalen ))
|
||||||
|
rc = gpg_error (GPG_ERR_BAD_SIGNATURE);
|
||||||
|
- /* log_printhex("MDC message:", dfx.defer, 22); */
|
||||||
|
- /* log_printhex("MDC calc:", gcry_md_read (dfx.mdc_hash,0), datalen); */
|
||||||
|
+ /* log_printhex("MDC message:", dfx->defer, 22); */
|
||||||
|
+ /* log_printhex("MDC calc:", gcry_md_read (dfx->mdc_hash,0), datalen); */
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
leave:
|
||||||
|
- gcry_cipher_close (dfx.cipher_hd);
|
||||||
|
- gcry_md_close (dfx.mdc_hash);
|
||||||
|
+ release_dfx_context (dfx);
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -214,7 +242,7 @@
|
||||||
|
mdc_decode_filter (void *opaque, int control, IOBUF a,
|
||||||
|
byte *buf, size_t *ret_len)
|
||||||
|
{
|
||||||
|
- decode_filter_ctx_t *dfx = opaque;
|
||||||
|
+ decode_filter_ctx_t dfx = opaque;
|
||||||
|
size_t n, size = *ret_len;
|
||||||
|
int rc = 0;
|
||||||
|
int c;
|
||||||
|
@@ -226,11 +254,11 @@
|
||||||
|
}
|
||||||
|
else if( control == IOBUFCTRL_UNDERFLOW )
|
||||||
|
{
|
||||||
|
- assert(a);
|
||||||
|
- assert( size > 44 );
|
||||||
|
+ assert (a);
|
||||||
|
+ assert ( size > 44 );
|
||||||
|
|
||||||
|
/* Get at least 22 bytes and put it somewhere ahead in the buffer. */
|
||||||
|
- for(n=22; n < 44 ; n++ )
|
||||||
|
+ for (n=22; n < 44 ; n++ )
|
||||||
|
{
|
||||||
|
if( (c = iobuf_get(a)) == -1 )
|
||||||
|
break;
|
||||||
|
@@ -279,8 +307,10 @@
|
||||||
|
|
||||||
|
if ( n )
|
||||||
|
{
|
||||||
|
- gcry_cipher_decrypt (dfx->cipher_hd, buf, n, NULL, 0);
|
||||||
|
- gcry_md_write (dfx->mdc_hash, buf, n);
|
||||||
|
+ if ( dfx->cipher_hd )
|
||||||
|
+ gcry_cipher_decrypt (dfx->cipher_hd, buf, n, NULL, 0);
|
||||||
|
+ if ( dfx->mdc_hash )
|
||||||
|
+ gcry_md_write (dfx->mdc_hash, buf, n);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
@@ -289,6 +319,10 @@
|
||||||
|
}
|
||||||
|
*ret_len = n;
|
||||||
|
}
|
||||||
|
+ else if ( control == IOBUFCTRL_FREE )
|
||||||
|
+ {
|
||||||
|
+ release_dfx_context (dfx);
|
||||||
|
+ }
|
||||||
|
else if ( control == IOBUFCTRL_DESC )
|
||||||
|
{
|
||||||
|
*(char**)buf = "mdc_decode_filter";
|
||||||
|
@@ -300,7 +334,7 @@
|
||||||
|
static int
|
||||||
|
decode_filter( void *opaque, int control, IOBUF a, byte *buf, size_t *ret_len)
|
||||||
|
{
|
||||||
|
- decode_filter_ctx_t *fc = opaque;
|
||||||
|
+ decode_filter_ctx_t fc = opaque;
|
||||||
|
size_t n, size = *ret_len;
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
@@ -311,11 +345,18 @@
|
||||||
|
if ( n == -1 )
|
||||||
|
n = 0;
|
||||||
|
if ( n )
|
||||||
|
- gcry_cipher_decrypt (fc->cipher_hd, buf, n, NULL, 0);
|
||||||
|
+ {
|
||||||
|
+ if (fc->cipher_hd)
|
||||||
|
+ gcry_cipher_decrypt (fc->cipher_hd, buf, n, NULL, 0);
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
rc = -1; /* EOF */
|
||||||
|
*ret_len = n;
|
||||||
|
}
|
||||||
|
+ else if ( control == IOBUFCTRL_FREE )
|
||||||
|
+ {
|
||||||
|
+ release_dfx_context (fc);
|
||||||
|
+ }
|
||||||
|
else if ( control == IOBUFCTRL_DESC )
|
||||||
|
{
|
||||||
|
*(char**)buf = "decode_filter";
|
10
gnupg2.spec
10
gnupg2.spec
@ -10,7 +10,7 @@
|
|||||||
Summary: Utility for secure communication and data storage
|
Summary: Utility for secure communication and data storage
|
||||||
Name: gnupg2
|
Name: gnupg2
|
||||||
Version: 2.0.1
|
Version: 2.0.1
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
|
|
||||||
License: GPL
|
License: GPL
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
@ -24,6 +24,7 @@ Source10: gpg-agent-startup.sh
|
|||||||
Source11: gpg-agent-shutdown.sh
|
Source11: gpg-agent-shutdown.sh
|
||||||
|
|
||||||
Patch1: gnupg-1.9.16-testverbose.patch
|
Patch1: gnupg-1.9.16-testverbose.patch
|
||||||
|
Patch2: gnupg-2.0.1-CVE-2006-6235.patch
|
||||||
|
|
||||||
Obsoletes: newpg < 0.9.5
|
Obsoletes: newpg < 0.9.5
|
||||||
|
|
||||||
@ -81,6 +82,9 @@ dependency on other modules at run and build time.
|
|||||||
%setup -q -n gnupg-%{version}%{?beta}
|
%setup -q -n gnupg-%{version}%{?beta}
|
||||||
|
|
||||||
#patch1 -p1 -b .testverbose
|
#patch1 -p1 -b .testverbose
|
||||||
|
pushd g10
|
||||||
|
%patch2 -p0 -b .CVE-2006-6235
|
||||||
|
popd
|
||||||
|
|
||||||
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
|
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
|
||||||
# Note: this is just the name of the default shared lib to load in scdaemon,
|
# Note: this is just the name of the default shared lib to load in scdaemon,
|
||||||
@ -177,8 +181,12 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 06 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-2
|
||||||
|
- CVE-2006-6235
|
||||||
|
|
||||||
* Wed Nov 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-1
|
* Wed Nov 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-1
|
||||||
- gnupg-2.0.1
|
- gnupg-2.0.1
|
||||||
|
- CVE-2006-6169 (bug #217950)
|
||||||
|
|
||||||
* Sat Nov 25 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-0.3.rc1
|
* Sat Nov 25 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-0.3.rc1
|
||||||
- gnupg-2.0.1rc1
|
- gnupg-2.0.1rc1
|
||||||
|
Loading…
Reference in New Issue
Block a user