Package: gnupg2 / 2.0.26-6+deb8u2

0018-gpg-Fix-a-NULL-deref-for-invalid-input-data.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
From 92a7949ae6331b5e188480b76ce29a86ede6e89e Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 24 Nov 2014 18:19:31 +0100
Subject: [PATCH 18/31] gpg: Fix a NULL-deref for invalid input data.

* g10/mainproc.c (proc_encrypted): Take care of canceled passpharse
entry.
--

GnuPG-bug-id: 1761
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 32e85668b82f6fbcb824eea9548970804fb41d9e)
---
 g10/mainproc.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 3abcb15..6288030 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -520,7 +520,9 @@ proc_encrypted( CTX c, PACKET *pkt )
 	result = -1;
     else if( !c->dek && !c->last_was_session_key ) {
         int algo;
-        STRING2KEY s2kbuf, *s2k = NULL;
+        STRING2KEY s2kbuf;
+        STRING2KEY *s2k = NULL;
+        int canceled;
 
 	if(opt.override_session_key)
 	  {
@@ -562,9 +564,13 @@ proc_encrypted( CTX c, PACKET *pkt )
 		log_info (_("assuming %s encrypted data\n"), "IDEA");
 	      }
 
-	    c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, NULL );
+	    c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL,&canceled);
 	    if (c->dek)
 	      c->dek->algo_info_printed = 1;
+            else if (canceled)
+              result = gpg_error (GPG_ERR_CANCELED);
+            else
+              result = gpg_error (GPG_ERR_INV_PASSPHRASE);
 	  }
     }
     else if( !c->dek )
@@ -585,7 +591,7 @@ proc_encrypted( CTX c, PACKET *pkt )
 	else if(!opt.no_mdc_warn)
 	    log_info (_("WARNING: message was not integrity protected\n"));
     }
-    else if( result == G10ERR_BAD_SIGN ) {
+    else if( gpg_err_code (result) == G10ERR_BAD_SIGN ) {
 	log_error(_("WARNING: encrypted message has been manipulated!\n"));
 	write_status( STATUS_BADMDC );
 	write_status( STATUS_DECRYPTION_FAILED );
-- 
2.1.4