oss-sec mailing list archives

CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 03 Jun 2011 18:21:23 +0200


Hello, Josh, Steve, Bernhard, vendors,

  based on:
  [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377
  [2] https://bugs.g10code.com/gnupg/issue1313
      (upstream bug report)
  [3] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der
      (public PoC)
  [4] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev
      (relevant upstream patch)

it concluded:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=710529

i.e.:
"Dirmngr, server/client tool for managing and downloading CRLS, used
user land threads implementation (Pth) for wrapping up of system calls,
that may potentially block. A remote attacker could use this flaw to
cause a hang of an end-user application, relying of the proper services
of the dirmngr daemon, via a request to verify a specially-crafted
certificate."

But simultaneously with filling that Red Hat Bugzilla issue tracking
system entry performed some basic investigation, results of which can
be seen at:
[6] https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2

IOW was not able to reproduce the complete / indefinite dirmngr-client
hang (thus blocking other clients from access). As noted in [6], it
is true that during small time period running 'dirmngr' daemon instance
is unresponsive also for '--ping' (dirmngr-client --ping) commands, but
after finite time (~21 seconds in my test) the connection ends up with
timeout.

Though Bernard in:
[7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5

mentions "For example the KMail hung when trying to verify a signature
which has the certificate in the chain." which would suggest there may
exist clients / end-user application not able to recover from this bug
properly. Bernhard, hopefully here, you could clarify / list such
applications and provide also time details, how long that hang of such
applications took.

Based on your reply, this may not / may be worthy (in case there are
such end-user applications) of an CVE identifier.

Thank you & Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Jan Lieskovsky (Jun 03)
- Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Josh Bressers (Jun 06)
  - Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Bernhard Reiter (Jun 15)
    - Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Josh Bressers (Jun 15)