oss-sec mailing list archives

Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG

From: Tavis Ormandy <taviso () gmail com>
Date: Wed, 6 Jul 2022 06:10:32 -0000 (UTC)

On 2022-07-04, Jakub Wilk wrote:

As a data point, if Mutt has pgp_auto_decode=yes ("automatically attempt 
to decrypt traditional PGP messages") in the config, it will trigger the 
DoS when you view the message.


Hmm - I think you don't even need auto_decode, because x-action parameters
can trigger automatic decryption in mutt.

There's an example message here: https://gitlab.com/muttmua/mutt/-/issues/405

(And it seems that if you lose patience waiting for the message to show 
up and press ctrl+backslash in attempt to make it quit, it will actually 
hang forever.)


I think you need at least something like max-output 104857600 in
gnupg.conf if you don't want trivial DoS pranks to be possible :)

Tavis.


-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso

Current thread:

Denial of service in GnuPG Demi Marie Obenour (Jul 04)
- DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
  - Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jens-Wolfhard Schicke-Uffmann (Jul 04)
    - Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Peter van Dijk (Jul 04)
    - Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Kurt H Maier (Jul 05)
    - Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Jakub Wilk (Jul 04)
    - Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Tavis Ormandy (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Alexander Burke (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Solar Designer (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Solar Designer (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Grant Taylor (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Demi Marie Obenour (Jul 06)
    - Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Florian Weimer (Jul 06)
  - Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Noel Kuntze (Jul 04)
  - Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG Dave Horsfall (Jul 05)

(Thread continues...)