Re: Multiple issues in GnuPG found through keyring fuzzing (TFPA 001/2015)

[Hanno Böck <hanno () hboeck de>]

On Fri, 13 Feb 2015 18:27:31 -0500 (EST)
cve-assign () mitre org wrote:

> Can you provide more information about a scenario in which a GnuPG
> NULL pointer dereference has a security impact? A typical use case of
> GnuPG is a single session with a single command line. The code in
> question is not part of Libgcrypt, which may be used for long-running
> processes.

I don't really think these null ptr issues are vulnerabilities. I just
mentioned everything I found with fuzzing in the advisory.

> Do you mean that:
>
>   1. it is possible to create the problematic keyring
>      using --import commands, e.g., the user has
>      imported normal keys for years and now imports
>      a crafted key
>
>   2. the problematic keyring makes the product largely
>      unusable, e.g., there is a crash with a common
>      command such as --list-keys
>
>   3. it is not possible to fix the problematic keyring
>      with any available commands such as --delete-keys
>
>   4. therefore, the product remains unusable unless the
>      user obtains other code to correct the keyring, and
>      thus there is a denial of service

That's actually an interesting idea I haven't thought about, however
would require further analysis whether it's possible.

> Also, access to each of your four crashes.fuzzing-project.org URLs
> currently fails with a 403. We can probably provide at least two CVE
> IDs in total after those URLs are available.

Sorry, fixed.


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature