Debian Bug report logs - #1014157
gnupg: vulnerable to status injection

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Daniel Kahn Gillmor <[email protected]>

To: [email protected]

Subject: gnupg: vulnerable to status injection

Date: Fri, 01 Jul 2022 01:58:31 -0400

[Message part 1 (text/plain, inline)]

Package: gnupg
Version: 2.2.25-2
Control: tag -1 + security patch
Control: forward -1 https://dev.gnupg.org/T6027
Control: affects -1 libgpgme11
Control: found 2.2.27-2+deb11u1

over in https://www.openwall.com/lists/oss-security/2022/06/30/1 Demi
Marie Obenour reports a failed buffer overflow that has the result that
anyone using gpgme (and probably other tooling) cannot trust the results
of signature validation.

I've confirmed that the reported bug is present both in bullseye
(2.2.27-2+deb11u1) and unstable :(

The attached patch (pulled from upstream git) fixes the matter that was
present in 2.2.25-2.  I'm in the process of testing it on bullseye.

        --dkg

[g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch (text/x-diff, inline)]

From: Werner Koch <[email protected]>
Date: Tue, 14 Jun 2022 11:33:27 +0200
Subject: g10: Fix garbled status messages in NOTATION_DATA

* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--

Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong.  Fixed by always using a break to
terminate the escape detection loop.  Might have happened for all
status lines which may wrap.

GnuPG-bug-id: T6027
(cherry picked from commit 34c649b3601383cd11dbc76221747ec16fd68e1b)
---
 g10/cpr.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/g10/cpr.c b/g10/cpr.c
index d502e8b..bc4b715 100644
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
             }
           first = 0;
         }
-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
+      for (esc=0, s=buffer, n=len; n; s++, n--)
         {
           if (*s == '%' || *(const byte*)s <= lower_limit
               || *(const byte*)s == 127 )
             esc = 1;
           if (wrap && ++count > wrap)
-            {
-              dowrap=1;
-              break;
-            }
-        }
-      if (esc)
-        {
-          s--; n++;
+            dowrap=1;
+          if (esc || dowrap)
+            break;
         }
       if (s != buffer)
         es_fwrite (buffer, s-buffer, 1, statusfp);

[signature.asc (application/pgp-signature, inline)]

Message #18 received at [email protected] (full text, mbox, reply):

From: Debian FTP Masters <[email protected]>

To: [email protected]

Subject: Bug#1014157: fixed in gnupg2 2.2.35-3

Date: Fri, 01 Jul 2022 07:35:23 +0000

Source: gnupg2
Source-Version: 2.2.35-3
Done: Daniel Kahn Gillmor <[email protected]>

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Jul 2022 02:01:17 -0400
Source: gnupg2
Architecture: source
Version: 2.2.35-3
Distribution: unstable
Urgency: high
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Closes: 1014157
Changes:
 gnupg2 (2.2.35-3) unstable; urgency=high
 .
   * fix security error from large notations (Thanks, Demi Marie Obenour)
     (Closes: #1014157)
   * Standards-Version: bump to 4.6.1 (no changes needed)
   * clean up lintian-overrides
Checksums-Sha1:
 6d796102d3940f3fadeb5475d3387fbe84504d10 3219 gnupg2_2.2.35-3.dsc
 1d213039c77e3ec45eed605e7e86568dd001cf4e 62416 gnupg2_2.2.35-3.debian.tar.xz
 ab06ca7a4eff08f31c8fe16a365423819e2bdbd2 18905 gnupg2_2.2.35-3_amd64.buildinfo
Checksums-Sha256:
 107fa3b78c2a7a23ffda6f6ef9fa2023f09f9d83ed5ed82f9a92f57114b6b532 3219 gnupg2_2.2.35-3.dsc
 ede72827e0acafafd67f9adef995d2917ee107253729cdfae6b825f4f5302085 62416 gnupg2_2.2.35-3.debian.tar.xz
 17ea33b2f812bce3a1fc5b574bf6cb64ad6893c5947388ee689ce1934695a650 18905 gnupg2_2.2.35-3_amd64.buildinfo
Files:
 999f9cbb4ec991bcd156efbf2104a1b9 3219 utils optional gnupg2_2.2.35-3.dsc
 465ca9bb553af7009588762c6b290994 62416 utils optional gnupg2_2.2.35-3.debian.tar.xz
 1aead1098732ebb04f68a651c466e6b2 18905 utils optional gnupg2_2.2.35-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYr6dFwAKCRA+nXFzcd5W
XGIuAP9HEW2l/Q5Mt9uxYXXEj5H/lxVvFbFz3ZGfG+vX3+uh6gEAioDAgVl39kD5
Nu/2ZrOG5TEchLLNUgenr1/sqmYU4AM=
=xsvc
-----END PGP SIGNATURE-----

Message #27 received at [email protected] (full text, mbox, reply):

From: Debian FTP Masters <[email protected]>

To: [email protected]

Subject: Bug#1014157: fixed in gnupg2 2.2.27-2+deb11u2

Date: Mon, 04 Jul 2022 07:32:07 +0000

Source: gnupg2
Source-Version: 2.2.27-2+deb11u2
Done: Daniel Kahn Gillmor <[email protected]>

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Jul 2022 03:03:46 -0400
Source: gnupg2
Architecture: source
Version: 2.2.27-2+deb11u2
Distribution: bullseye-security
Urgency: high
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Closes: 1014157
Changes:
 gnupg2 (2.2.27-2+deb11u2) bullseye-security; urgency=high
 .
   * fix broken status line (Closes: #1014157)
Checksums-Sha1:
 e67929889243ae3100ce0b52f76bada2361c62c9 3322 gnupg2_2.2.27-2+deb11u2.dsc
 d928d4bd0808ffb8fe20d1161501401d5d389458 7191555 gnupg2_2.2.27.orig.tar.bz2
 7fc979ac1633b07f7ccb2fa06150402935726b05 119 gnupg2_2.2.27.orig.tar.bz2.asc
 6db567be004ab69ce5f8496e2d62060a90363157 63960 gnupg2_2.2.27-2+deb11u2.debian.tar.xz
 c5477552fcf4468b78985720a7adb690037abb74 10471 gnupg2_2.2.27-2+deb11u2_source.buildinfo
Checksums-Sha256:
 a334ffaa6c078907e64d990c469873ec883abcbbc2ca3911e4f3072c50d33eb8 3322 gnupg2_2.2.27-2+deb11u2.dsc
 34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399 7191555 gnupg2_2.2.27.orig.tar.bz2
 2b44fd82da223cb629062b9c8840d92698c003be8531fc393c38f97b28cae2a4 119 gnupg2_2.2.27.orig.tar.bz2.asc
 b35c6a717d7f79cfd1a7468436721ca9c9211f70d10216e22523478094670a7b 63960 gnupg2_2.2.27-2+deb11u2.debian.tar.xz
 0dfbbec19de88fc07ed814d4cb9ce1a34febaa6a6bc5dee0bcae431bd7a8cb8a 10471 gnupg2_2.2.27-2+deb11u2_source.buildinfo
Files:
 15907df784700315a588eb1788fdd4dc 3322 utils optional gnupg2_2.2.27-2+deb11u2.dsc
 a9c002b5356103c97412955a1956ae0c 7191555 utils optional gnupg2_2.2.27.orig.tar.bz2
 3a7ebb524a333b41032765eb651ea032 119 utils optional gnupg2_2.2.27.orig.tar.bz2.asc
 1062344355df19f937226cba648c4098 63960 utils optional gnupg2_2.2.27-2+deb11u2.debian.tar.xz
 13b362bbbee27b945efbe3f8737bd7f2 10471 utils optional gnupg2_2.2.27-2+deb11u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYr8HvQAKCRA+nXFzcd5W
XH8dAP95UleHZdbuXCzj9cH0aMRnC9BbF933YlQ/dkuPCQMePQD+Lt6UvOeIxnY6
XNzt3NAK8o9Y/jzBACTedllkdZMhRAo=
=gkr5
-----END PGP SIGNATURE-----

Message #32 received at [email protected] (full text, mbox, reply):

From: Debian FTP Masters <[email protected]>

To: [email protected]

Subject: Bug#1014157: fixed in gnupg2 2.2.12-1+deb10u2

Date: Mon, 11 Jul 2022 20:47:41 +0000

Source: gnupg2
Source-Version: 2.2.12-1+deb10u2
Done: Daniel Kahn Gillmor <[email protected]>

We believe that the bug you reported is fixed in the latest version of
gnupg2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <[email protected]> (supplier of updated gnupg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Jul 2022 12:06:43 -0400
Source: gnupg2
Architecture: source
Version: 2.2.12-1+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian GnuPG Maintainers <[email protected]>
Changed-By: Daniel Kahn Gillmor <[email protected]>
Closes: 1014157
Changes:
 gnupg2 (2.2.12-1+deb10u2) buster-security; urgency=high
 .
   [ Roger Shimizu ]
   * d/control: Update Build-Depends: libgpg-error-dev (>= 1.35)
 .
   [ Daniel Kahn Gillmor ]
   * fix broken status line (Closes: #1014157)
Checksums-Sha1:
 f1267951c26eaf17cdef39a24acb2961a8a98960 3258 gnupg2_2.2.12-1+deb10u2.dsc
 2aeccc35ea8034306ff7a1072b84abbaa79619c3 6682303 gnupg2_2.2.12.orig.tar.bz2
 fe3576314c725e76dca3aaa23287004e2e3e3a4a 3204 gnupg2_2.2.12.orig.tar.bz2.asc
 e8a080f0fa4a4d54608d5cd6e0a1a5b1aa843b99 123852 gnupg2_2.2.12-1+deb10u2.debian.tar.xz
 96358b1c03e12c0d1113d9639ef065dc2dc3c9d4 10446 gnupg2_2.2.12-1+deb10u2_source.buildinfo
Checksums-Sha256:
 63c9e0edbfd5772bc19eb722278445818f77e6506191def7a88748ffbd5226eb 3258 gnupg2_2.2.12-1+deb10u2.dsc
 db030f8b4c98640e91300d36d516f1f4f8fe09514a94ea9fc7411ee1a34082cb 6682303 gnupg2_2.2.12.orig.tar.bz2
 97c8dc25c4c2fe9a39b2ffd81b65b6f3dc4ad359c9a81ca4bb9b4bdeb6167c60 3204 gnupg2_2.2.12.orig.tar.bz2.asc
 e4959380382661227462a88c5f56b2b3b1fbb36717e32f1be6fc3187e6234c22 123852 gnupg2_2.2.12-1+deb10u2.debian.tar.xz
 8c854aac98e0b72c41591f5521a56dd0f48a0497c5a4b5018a9eff66d02f2b93 10446 gnupg2_2.2.12-1+deb10u2_source.buildinfo
Files:
 5585917b8d5905559eb08a83fe5caa49 3258 utils optional gnupg2_2.2.12-1+deb10u2.dsc
 421b17028878b253c5acfef056bc6141 6682303 utils optional gnupg2_2.2.12.orig.tar.bz2
 c13841dcfb13d0bd6b7328c88e061372 3204 utils optional gnupg2_2.2.12.orig.tar.bz2.asc
 07eeb82644d3821bd23ef2d0f2d1625f 123852 utils optional gnupg2_2.2.12-1+deb10u2.debian.tar.xz
 0b64ca591c13e9a1f3191db640083e23 10446 utils optional gnupg2_2.2.12-1+deb10u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQttUkcnfDcj0MoY88+nXFzcd5WXAUCYr8frQAKCRA+nXFzcd5W
XFVOAP9bzGS1gOHD/j3BvrMNWqVgJqadjBhtBmTUVz1TuU7nQQD9El7huHO60/p3
VA3xK2j31tL+fGNzfkC3Qk26Id2uAgE=
=PIjt
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.