oss-sec mailing list archives
Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG
From: Tavis Ormandy <taviso () gmail com>
Date: Wed, 6 Jul 2022 06:10:32 -0000 (UTC)
On 2022-07-04, Jakub Wilk wrote:
As a data point, if Mutt has pgp_auto_decode=yes ("automatically attempt to decrypt traditional PGP messages") in the config, it will trigger the DoS when you view the message.
Hmm - I think you don't even need auto_decode, because x-action parameters can trigger automatic decryption in mutt. There's an example message here: https://gitlab.com/muttmua/mutt/-/issues/405
(And it seems that if you lose patience waiting for the message to show up and press ctrl+backslash in attempt to make it quit, it will actually hang forever.)
I think you need at least something like max-output 104857600 in gnupg.conf if you don't want trivial DoS pranks to be possible :) Tavis. -- _o) $ lynx lock.cmpxchg8b.com /\\ _o) _o) $ finger taviso () sdf org _\_V _( ) _( ) @taviso
Current thread:
- Denial of service in GnuPG Demi Marie Obenour (Jul 04)
- DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jens-Wolfhard Schicke-Uffmann (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Kurt H Maier (Jul 05)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jakub Wilk (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Tavis Ormandy (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Alexander Burke (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Solar Designer (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Solar Designer (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Grant Taylor (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jens-Wolfhard Schicke-Uffmann (Jul 04)
- DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Florian Weimer (Jul 06)