Accepting request 263168 from home:AndreasStieger:branches:Base:System

fix buffer overflow in OID to string conversion function [boo#907198] OBS-URL: https://build.opensuse.org/request/show/263168 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=84
2014-11-26 19:36:09 +00:00 · 2014-11-26 19:36:09 +00:00 · f26c508bf1
commit f26c508bf1
parent 56c2acf961
3 changed files with 86 additions and 0 deletions
--- a/gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
+++ b/gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
@ -0,0 +1,77 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 25 Nov 2014 11:58:56 +0100
+Subject: [PATCH] Fix buffer overflow in openpgp_oid_to_str.
+References: boo#907198 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da
+Upstream: committed
+
+* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
+
+* common/t-openpgp-oid.c (BADOID): New.
+(test_openpgp_oid_to_str): Add test cases.
+--
+
+The code has an obvious error by not considering invalid encoding for
+arc-2.  A first byte of 0x80 can be used to make a value of less then
+80 and we then subtract 80 from that value as required by the OID
+encoding rules.  Due to the unsigned integer this results in a pretty
+long value which won't fit anymore into the allocated buffer.
+
+The fix is obvious.  Also added a few simple test cases.  Note that we
+keep on using sprintf instead of snprintf because managing the
+remaining length of the buffer would probably be more error prone than
+assuring that the buffer is large enough.  Getting rid of sprintf
+altogether by using direct conversion along with membuf_t like code
+might be possible.
+
+Reported-by: Hanno Böck
+Signed-off-by: Werner Koch <wk@gnupg.org>
+
+Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
+---
+ common/openpgp-oid.c   |    2 ++
+ common/t-openpgp-oid.c |    9 +++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
+index 010c23f..d3d1f2a 100644
+--- a/common/openpgp-oid.c
+++ b/common/openpgp-oid.c
+@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
+         val <<= 7;
+         val |= buf[n] & 0x7f;
+       }
+    if (val < 80)
+      goto badoid;
+     val -= 80;
+     sprintf (p, "2.%lu", val);
+     p += strlen (p);
+diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
+index 79e5a70..5cd778d 100644
+--- a/common/t-openpgp-oid.c
+++ b/common/t-openpgp-oid.c
+@@ -32,6 +32,9 @@
+   } while(0)
+ 
+ 
+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
+
+
+ static void
+ test_openpgp_oid_from_str (void)
+ {
+@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
+     { "1.3.132.0.35",
+       { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
+ 
+    { BADOID,
+      { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
+
+    { BADOID,
+      { 1, 0x80 }},
+
+     { NULL }};
+   gcry_mpi_t a;
+   int idx;
+-- 
+1.7.10.4
+
--- a/gpg2.changes
+++ b/gpg2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Nov 26 19:21:15 UTC 2014 - andreas.stieger@gmx.de
+
+- fix buffer overflow in OID to string conversion function
+  [boo#907198], adding
+  gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
+
 -------------------------------------------------------------------
 Tue Nov 11 16:10:04 UTC 2014 - vcizek@suse.com

--- a/gpg2.spec
+++ b/gpg2.spec
@ -35,6 +35,7 @@ Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 Patch11:        gnupg-add_legacy_FIPS_mode_option.patch
 Patch12:        gnupg-remove_development_version_warning.patch
+Patch13:        gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
 BuildRequires:  automake >= 1.10
 BuildRequires:  expect
 BuildRequires:  fdupes
@ -85,6 +86,7 @@ gpg-agent, and a keybox library.
 %patch9 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1

 %build
 autoreconf -fi