Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Wed, Jul 06, 2022 at 06:10:32AM -0000, Tavis Ormandy wrote:
> On 2022-07-04, Jakub Wilk wrote:
> > As a data point, if Mutt has pgp_auto_decode=yes ("automatically attempt 
> > to decrypt traditional PGP messages") in the config, it will trigger the 
> > DoS when you view the message.
>
> Hmm - I think you don't even need auto_decode, because x-action parameters
> can trigger automatic decryption in mutt.
>
> There's an example message here: https://gitlab.com/muttmua/mutt/-/issues/405
>
> > (And it seems that if you lose patience waiting for the message to show 
> > up and press ctrl+backslash in attempt to make it quit, it will actually 
> > hang forever.)
>
> I think you need at least something like max-output 104857600 in
> gnupg.conf if you don't want trivial DoS pranks to be possible :)
>
> Tavis.

I don't think this one is impacted by max-output.  Worse, I was told
“Not a bug, sorry” by Werner.

Was adding compression to PGP even a good idea in the first place?
Becuase it seems to have some of the same problems that compression in
TLS and SSH do, not to mention creating a trivial DoS.  If it were not
for OpenPGP being an archival format I would suggest ditching it
outright.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: