oss-sec mailing list archives
Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG
From: Alexander Burke <alex () alexburke ca>
Date: Wed, 6 Jul 2022 13:06:44 +0000 (UTC)
I would suggest ditching it outright.
Don't let your dreams be dreams! ---------------------------------------- Jul 6, 2022 13:33:09 Demi Marie Obenour <demi () invisiblethingslab com>:
On Wed, Jul 06, 2022 at 06:10:32AM -0000, Tavis Ormandy wrote:On 2022-07-04, Jakub Wilk wrote:As a data point, if Mutt has pgp_auto_decode=yes ("automatically attempt to decrypt traditional PGP messages") in the config, it will trigger the DoS when you view the message.Hmm - I think you don't even need auto_decode, because x-action parameters can trigger automatic decryption in mutt. There's an example message here: https://gitlab.com/muttmua/mutt/-/issues/405(And it seems that if you lose patience waiting for the message to show up and press ctrl+backslash in attempt to make it quit, it will actually hang forever.)I think you need at least something like max-output 104857600 in gnupg.conf if you don't want trivial DoS pranks to be possible :) Tavis.I don't think this one is impacted by max-output. Worse, I was told “Not a bug, sorry” by Werner. Was adding compression to PGP even a good idea in the first place? Becuase it seems to have some of the same problems that compression in TLS and SSH do, not to mention creating a trivial DoS. If it were not for OpenPGP being an archival format I would suggest ditching it outright. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Current thread:
- Denial of service in GnuPG Demi Marie Obenour (Jul 04)
- DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jens-Wolfhard Schicke-Uffmann (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Kurt H Maier (Jul 05)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jakub Wilk (Jul 04)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Tavis Ormandy (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Alexander Burke (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Solar Designer (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Solar Designer (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Grant Taylor (Jul 06)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
- Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jens-Wolfhard Schicke-Uffmann (Jul 04)
- DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
- Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Florian Weimer (Jul 06)