oss-sec mailing list archives
CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 03 Jun 2011 18:21:23 +0200
Hello, Josh, Steve, Bernhard, vendors, based on: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377 [2] https://bugs.g10code.com/gnupg/issue1313 (upstream bug report) [3] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der (public PoC) [4] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev (relevant upstream patch) it concluded: [5] https://bugzilla.redhat.com/show_bug.cgi?id=710529 i.e.: "Dirmngr, server/client tool for managing and downloading CRLS, used user land threads implementation (Pth) for wrapping up of system calls, that may potentially block. A remote attacker could use this flaw to cause a hang of an end-user application, relying of the proper services of the dirmngr daemon, via a request to verify a specially-crafted certificate." But simultaneously with filling that Red Hat Bugzilla issue tracking system entry performed some basic investigation, results of which can be seen at: [6] https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2 IOW was not able to reproduce the complete / indefinite dirmngr-client hang (thus blocking other clients from access). As noted in [6], it is true that during small time period running 'dirmngr' daemon instance is unresponsive also for '--ping' (dirmngr-client --ping) commands, but after finite time (~21 seconds in my test) the connection ends up with timeout. Though Bernard in: [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5 mentions "For example the KMail hung when trying to verify a signature which has the certificate in the chain." which would suggest there may exist clients / end-user application not able to recover from this bug properly. Bernhard, hopefully here, you could clarify / list such applications and provide also time details, how long that hang of such applications took. Based on your reply, this may not / may be worthy (in case there are such end-user applications) of an CVE identifier. Thank you & Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Jan Lieskovsky (Jun 03)