oss-sec mailing list archives

Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate

From: Josh Bressers <bressers () redhat com>
Date: Mon, 6 Jun 2011 13:42:10 -0400 (EDT)

----- Original Message -----

Hello, Josh, Steve, Bernhard, vendors,

based on:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377
[2] https://bugs.g10code.com/gnupg/issue1313
(upstream bug report)
[3] https://bugs.g10code.com/gnupg/file324/DTAG_Issuing_CA_i01.der
(public PoC)
[4] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi?root=Dirmngr&view=rev
(relevant upstream patch)

it concluded:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=710529

i.e.:
"Dirmngr, server/client tool for managing and downloading CRLS, used user
land threads implementation (Pth) for wrapping up of system calls, that
may potentially block. A remote attacker could use this flaw to cause a
hang of an end-user application, relying of the proper services of the
dirmngr daemon, via a request to verify a specially-crafted certificate."

But simultaneously with filling that Red Hat Bugzilla issue tracking
system entry performed some basic investigation, results of which can
be seen at:
[6] https://bugzilla.redhat.com/show_bug.cgi?id=710529#c2

IOW was not able to reproduce the complete / indefinite dirmngr-client
hang (thus blocking other clients from access). As noted in [6], it is
true that during small time period running 'dirmngr' daemon instance is
unresponsive also for '--ping' (dirmngr-client --ping) commands, but
after finite time (~21 seconds in my test) the connection ends up with
timeout.

Though Bernard in:
[7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627377#5

mentions "For example the KMail hung when trying to verify a signature
which has the certificate in the chain." which would suggest there may
exist clients / end-user application not able to recover from this bug
properly. Bernhard, hopefully here, you could clarify / list such
applications and provide also time details, how long that hang of such
applications took.

Based on your reply, this may not / may be worthy (in case there are
such end-user applications) of an CVE identifier.


Is this expected to only be used by end user applications? It seems to me
that if an attacker can DoS a client, it's not a security issue, especially
when you consider the use (if a bad guy can interact with dirmngr, there
are probably bigger potential issues).

Thanks.

-- 
    JB

Current thread:

CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Jan Lieskovsky (Jun 03)
- Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Josh Bressers (Jun 06)
  - Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Bernhard Reiter (Jun 15)
    - Re: CVE Request / Discussion -- dirmngr -- Improper dealing with blocking system calls, when verifying a certificate Josh Bressers (Jun 15)