[Pkg-gnupg-commit] r396 - in /gnupg/trunk/debian: changelog patches/0001-gpg-Avoid-infinite-loop-in-uncompressing-garbled-pac.patch patches/init-trustdb-before-clearing.patch patches/series

thijs at users.alioth.debian.org thijs at users.alioth.debian.org
Mon Jun 30 11:15:32 UTC 2014 

Author: thijs
Date: Mon Jun 30 11:15:32 2014
New Revision: 396

URL: http://svn.debian.org/wsvn/pkg-gnupg/?sc=1&rev=396
Log:
import nmus

Added:
    gnupg/trunk/debian/patches/0001-gpg-Avoid-infinite-loop-in-uncompressing-garbled-pac.patch
    gnupg/trunk/debian/patches/init-trustdb-before-clearing.patch
Modified:
    gnupg/trunk/debian/changelog
    gnupg/trunk/debian/patches/series

Modified: gnupg/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/trunk/debian/changelog?rev=396&op=diff
==============================================================================
--- gnupg/trunk/debian/changelog	(original)
+++ gnupg/trunk/debian/changelog	Mon Jun 30 11:15:32 2014
@@ -1,3 +1,20 @@
+gnupg (1.4.16-1.2) unstable; urgency=high
+
+  * Non-maintainer upload with maintainers approval.
+  * CVE-2014-4617: Avoid DoS due to garbled compressed data packets.
+    Apply upstream commit to stop a possible DoS using garbled compressed
+    data packets which can be used to put gpg into an infinite loop.
+    (Closes: #752497)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 24 Jun 2014 17:02:35 +0200
+
+gnupg (1.4.16-1.1) unstable; urgency=low
+
+  * Non-Maintainer Upload.
+  * Initialize trustdb before clearing it (Closes: #735363)
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>  Mon, 20 Jan 2014 22:16:55 -0500
+
 gnupg (1.4.16-1) unstable; urgency=medium
 
   * New upstream release.

Added: gnupg/trunk/debian/patches/0001-gpg-Avoid-infinite-loop-in-uncompressing-garbled-pac.patch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/trunk/debian/patches/0001-gpg-Avoid-infinite-loop-in-uncompressing-garbled-pac.patch?rev=396&op=file
==============================================================================
--- gnupg/trunk/debian/patches/0001-gpg-Avoid-infinite-loop-in-uncompressing-garbled-pac.patch	(added)
+++ gnupg/trunk/debian/patches/0001-gpg-Avoid-infinite-loop-in-uncompressing-garbled-pac.patch	Mon Jun 30 11:15:32 2014
@@ -0,0 +1,78 @@
+From 11fdfcf82bd8d2b5bc38292a29876e10770f4b0a Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 20 Jun 2014 10:39:26 +0200
+Subject: [PATCH] gpg: Avoid infinite loop in uncompressing garbled packets.
+
+* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
+--
+
+A packet like (a3 01 5b ff) leads to an infinite loop.  Using
+--max-output won't help if it is a partial packet.  This patch
+actually fixes a regression introduced on 1999-05-31 (c34c6769).
+Actually it would be sufficient to stuff just one extra 0xff byte.
+Given that this problem popped up only after 15 years, I feel safer to
+allow for a very few FF bytes.
+
+Thanks to Olivier Levillain and Florian Maury for their detailed
+report.
+---
+ g10/compress.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/g10/compress.c b/g10/compress.c
+index 2c16174..07c9e5e 100644
+--- a/g10/compress.c
++++ b/g10/compress.c
+@@ -131,7 +131,7 @@ init_uncompress( compress_filter_context_t *zfx, z_stream *zs )
+      * PGP uses a windowsize of 13 bits. Using a negative value for
+      * it forces zlib not to expect a zlib header.  This is a
+      * undocumented feature Peter Gutmann told me about.
+-     *    
++     *
+      * We must use 15 bits for the inflator because CryptoEx uses 15
+      * bits thus the output would get scrambled w/o error indication
+      * if we would use 13 bits.  For the uncompressing this does not
+@@ -155,7 +155,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ 	       IOBUF a, size_t *ret_len )
+ {
+     int zrc;
+-    int rc=0;
++    int rc = 0;
++    int leave = 0;
+     size_t n;
+     int nread, count;
+     int refill = !zs->avail_in;
+@@ -178,13 +179,14 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ 	    if( nread == -1 )
+                 nread = 0;
+ 	    n += nread;
+-	    /* If we use the undocumented feature to suppress
+-	     * the zlib header, we have to give inflate an
+-	     * extra dummy byte to read */
+-	    if( nread < count && zfx->algo == 1 ) {
+-		*(zfx->inbuf + n) = 0xFF; /* is it really needed ? */
+-		zfx->algo1hack = 1;
++	    /* Algo 1 has no zlib header which requires us to to give
++	     * inflate an extra dummy byte to read. To be on the safe
++	     * side we allow for up to 4 ff bytes.  */
++	    if( nread < count && zfx->algo == 1 && zfx->algo1hack < 4) {
++		*(zfx->inbuf + n) = 0xFF;
++		zfx->algo1hack++;
+ 		n++;
++                leave = 1;
+ 	    }
+ 	    zs->avail_in = n;
+ 	}
+@@ -208,7 +210,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ 	    else
+ 		log_fatal("zlib inflate problem: rc=%d\n", zrc );
+ 	}
+-    } while( zs->avail_out && zrc != Z_STREAM_END  && zrc != Z_BUF_ERROR );
++    } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR
++             && !leave);
+     *ret_len = zfx->outbufsize - zs->avail_out;
+     if( DBG_FILTER )
+ 	log_debug("do_uncompress: returning %u bytes\n", (unsigned)*ret_len );
+-- 
+2.0.0
+

Added: gnupg/trunk/debian/patches/init-trustdb-before-clearing.patch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/trunk/debian/patches/init-trustdb-before-clearing.patch?rev=396&op=file
==============================================================================
--- gnupg/trunk/debian/patches/init-trustdb-before-clearing.patch	(added)
+++ gnupg/trunk/debian/patches/init-trustdb-before-clearing.patch	Mon Jun 30 11:15:32 2014
@@ -0,0 +1,22 @@
+commit 0807b8afd37720681a785ee396e349e0d2d3fc23
+Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date:   Mon Jan 20 22:12:38 2014 -0500
+
+    init trustdb before trying to clear it
+    
+    This avoids failure when importing with --always-trust on gpg 1.4.16,
+    as reported in http://bugs.debian.org/735363
+
+diff --git a/g10/trustdb.c b/g10/trustdb.c
+index 0bf92e4..828b90f 100644
+--- a/g10/trustdb.c
++++ b/g10/trustdb.c
+@@ -927,6 +927,8 @@ clear_ownertrusts (PKT_public_key *pk)
+   TRUSTREC rec;
+   int rc;
+ 
++  init_trustdb();
++
+   if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+     return 0;
+ 

Modified: gnupg/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/trunk/debian/patches/series?rev=396&op=diff
==============================================================================
--- gnupg/trunk/debian/patches/series	(original)
+++ gnupg/trunk/debian/patches/series	Mon Jun 30 11:15:32 2014
@@ -0,0 +1,2 @@
+init-trustdb-before-clearing.patch
+0001-gpg-Avoid-infinite-loop-in-uncompressing-garbled-pac.patch

More information about the Pkg-gnupg-commit mailing list