Package: gnupg2 / 2.0.26-6+deb8u2

0051-gpg-Fix-a-NULL-deref-due-to-empty-ring-trust-packets.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
From 7e12ec4c7d6df29a7d7935399fccd2594ebb4a7e Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 12 Feb 2015 18:52:07 +0100
Subject: [PATCH 51/56] gpg: Fix a NULL-deref due to empty ring trust packets.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* g10/parse-packet.c (parse_trust): Always allocate a packet.
--

Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Werner Koch <wk@gnupg.org>

(back ported from commit 39978487863066e59bb657f5fe4e8baab510da7e)
---
 g10/parse-packet.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index c374477..7b379c1 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -2324,11 +2324,11 @@ parse_trust( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *pkt )
 
   (void)pkttype;
 
+  pkt->pkt.ring_trust = xmalloc( sizeof *pkt->pkt.ring_trust );
   if (pktlen)
     {
       c = iobuf_get_noeof(inp);
       pktlen--;
-      pkt->pkt.ring_trust = xmalloc( sizeof *pkt->pkt.ring_trust );
       pkt->pkt.ring_trust->trustval = c;
       pkt->pkt.ring_trust->sigcache = 0;
       if (!c && pktlen==1)
@@ -2346,8 +2346,10 @@ parse_trust( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *pkt )
     }
   else
     {
-      if( list_mode )
-	fprintf (listfp, ":trust packet: empty\n");
+      pkt->pkt.ring_trust->trustval = 0;
+      pkt->pkt.ring_trust->sigcache = 0;
+      if (list_mode)
+        fprintf (listfp, ":trust packet: empty\n");
     }
   iobuf_skip_rest (inp, pktlen, 0);
 }
-- 
2.1.4