oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: DO NOT OPEN PREVIOUS MAIL Re: [oss-security] Denial of service in GnuPG

From: Alexander Burke <alex () alexburke ca>
Date: Wed, 6 Jul 2022 13:06:44 +0000 (UTC)


I would suggest ditching it outright.


Don't let your dreams be dreams!

----------------------------------------

Jul 6, 2022 13:33:09 Demi Marie Obenour <demi () invisiblethingslab com>:


On Wed, Jul 06, 2022 at 06:10:32AM -0000, Tavis Ormandy wrote:

On 2022-07-04, Jakub Wilk wrote:

As a data point, if Mutt has pgp_auto_decode=yes ("automatically attempt
to decrypt traditional PGP messages") in the config, it will trigger the
DoS when you view the message.


Hmm - I think you don't even need auto_decode, because x-action parameters
can trigger automatic decryption in mutt.

There's an example message here: https://gitlab.com/muttmua/mutt/-/issues/405


(And it seems that if you lose patience waiting for the message to show
up and press ctrl+backslash in attempt to make it quit, it will actually
hang forever.)



I think you need at least something like max-output 104857600 in
gnupg.conf if you don't want trivial DoS pranks to be possible :)

Tavis.


I don't think this one is impacted by max-output.  Worse, I was told
“Not a bug, sorry” by Werner.

Was adding compression to PGP even a good idea in the first place?
Becuase it seems to have some of the same problems that compression in
TLS and SSH do, not to mention creating a trivial DoS.  If it were not
for OpenPGP being an archival format I would suggest ditching it
outright.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Previous By Date Next
Previous By Thread Next

Current thread: