CVE-2014-3564: Buffer Overflow
First published: Wed Jun 25 2014(Updated: )
Created <span class=""><a href="attachment.cgi?id=912217&action=diff" name="attach_912217" title="Patch fixing the overflow">attachment 912217</a> <a href="attachment.cgi?id=912217&action=edit" title="Patch fixing the overflow">[details]</a></span> Patch fixing the overflow Description of problem: A bug in GPGME crashes my KMail reproducibly when opening the private key selection dialog twice in a row. The crash is due to an overflow of the gpgsm->colon.attic.line buffer within status_handler() in engine-gpgsm.c. This buffer is getting (re)allocated at line 831 like this: if (gpgsm->colon.attic.linesize < *alinelen + linelen + 1) { char *newline = realloc (*aline, *alinelen + linelen + 1); gpgsm->colon.attic.linesize += linelen + 1; ... So in other words, the code allocates a buffer to be *alinelen + linelen + 1 bytes long, but then thinks its capacity is actually linesize + linelen + 1. This assumption is wrong if *alinelen (the number of bytes used in the buffer prior to reallocation) is lower than linesize (the total length of the buffer), or in other words, if the buffer is not completely full. In that case, a fragment of the input line is subsequently written past the end of the buffer at line 856: *dst = *src++; I'm not sure if it is really exploitable, but in general this routine is processing arbitrary data coming from certificates the user happens to encounter somehow, so one could possibly exploit this using specially crafted certificate or something like that. Attached is a trivial patch fixing the issue (works fine for me during daily use of KMail with e-mail signing/encryption). Version-Release number of selected component (if applicable): gpgme-1.3.2-4.fc20.x86_64 How reproducible: Perfectly reproducible for me, but as the bug is data-dependent and I'm not going to publish my keys, I don't have a simple testcase. (I don't think it matters at all as the bug is quite obvious just from the source.)
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gnu Gpgme | <=1.5.0 | |
| Canonical Ubuntu Linux | =10.04 | |
| Canonical Ubuntu Linux | =12.04 | |
| Debian Debian Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git%3Ba=commit%3Bh=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
- http://seclists.org/oss-sec/2014/q3/266
- http://www.debian.org/security/2014/dsa-3005
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.osvdb.org/109699
- http://www.securityfocus.com/bid/68990
- https://bugzilla.redhat.com/show_bug.cgi?id=1113267
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=912217&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=912217&action=edit
- https://access.redhat.com/security/cve/CVE-2014-3564
- http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
- http://www.openwall.com/lists/oss-security/2014/07/31/5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1125170
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1125172
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1116412
- https://access.redhat.com/security/updates/classification/
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-3564
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/tags
- vendor/gnu
- canonical/gnu gpgme
- version/gnu gpgme/1.5.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/10.04
- version/canonical ubuntu linux/12.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/6.0