Package: gnupg2 / 2.0.26-6+deb8u2

0057-gpg-Fix-segv-due-to-NULL-value-stored-as-opaque-MPI.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
From e3fce4cdba1717542c5e25ad6ab66bc7da0a1f02 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sat, 21 Feb 2015 18:12:22 -0500
Subject: [PATCH] gpg: Fix segv due to NULL value stored as opaque MPI (BRANCH
 2.0)

* g10/build-packet.c (do_secret_key): Check for NULL return from
gcry_mpi_get_opaque.
* g10/keyid.c (hash_public_key): Ditto.
--

This is a backport of 76c8122adfed0f0f443cce7bda702ba2b39661b3 from
master to the STABLE-BRANCH-2-0

On the STABLE-BRANCH-2-0, we may also want to patch g10/seckey-cert.c,
but that has not been done in this patch.

This fix extends commmit 0835d2f44ef62eab51fce6a927908f544e01cf8f.

  gpg2 --export --no-default-keyring --keyring TESTDATA

With TESTDATA being below after unpacking.

-----BEGIN PGP ARMORED FILE-----

mBMEhdkMmS8BcX8F//8F5voEhQAQmBMEnAAAZwAAo4D/f/8EhQAAAIAEnP8EhQAQ
iBMEnP8AAAAABf8jIID///8EhQYQmBMEnIUAEIgTBKT/AAAAAAUAACCA/f//BIUA
EJgTBJx/AP8ABPPzBJx/AP8ABPPz
=2yE0
-----END PGP ARMORED FILE-----

Reported-by: Jodie Cunningham
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
 g10/build-packet.c |  6 ++++--
 g10/keyid.c        | 16 ++++++++++------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/g10/build-packet.c b/g10/build-packet.c
index e986987..5cc03cf 100644
--- a/g10/build-packet.c
+++ b/g10/build-packet.c
@@ -398,7 +398,8 @@ do_secret_key( IOBUF out, int ctb, PKT_secret_key *sk )
 
       assert (gcry_mpi_get_flag (sk->skey[npkey], GCRYMPI_FLAG_OPAQUE));
       p = gcry_mpi_get_opaque (sk->skey[npkey], &ndatabits );
-      iobuf_write (a, p, (ndatabits+7)/8 );
+      if (p)
+        iobuf_write (a, p, (ndatabits+7)/8 );
     }
   else if ( sk->is_protected )
     {
@@ -410,7 +411,8 @@ do_secret_key( IOBUF out, int ctb, PKT_secret_key *sk )
 
           assert (gcry_mpi_get_flag (sk->skey[i], GCRYMPI_FLAG_OPAQUE));
           p = gcry_mpi_get_opaque (sk->skey[i], &ndatabits);
-          iobuf_write (a, p, (ndatabits+7)/8);
+          if (p)
+            iobuf_write (a, p, (ndatabits+7)/8);
         }
       write_16(a, sk->csum );
     }
diff --git a/g10/keyid.c b/g10/keyid.c
index 6af0f48..ef6ee1c 100644
--- a/g10/keyid.c
+++ b/g10/keyid.c
@@ -115,14 +115,18 @@ hash_public_key( gcry_md_hd_t md, PKT_public_key *pk )
   if(npkey==0 && pk->pkey[0]
      && gcry_mpi_get_flag (pk->pkey[0], GCRYMPI_FLAG_OPAQUE))
     {
-      gcry_md_write (md, pp[0], nn[0]);
+      if (pp[0])
+        gcry_md_write (md, pp[0], nn[0]);
     }
   else
-    for(i=0; i < npkey; i++ )
-      {
-	gcry_md_write ( md, pp[i], nn[i] );
-	xfree(pp[i]);
-      }
+    {
+      for(i=0; i < npkey; i++ )
+        {
+          if (pp[i])
+            gcry_md_write ( md, pp[i], nn[i] );
+          xfree(pp[i]);
+        }
+    }
 }
 
 static gcry_md_hd_t
-- 
2.1.4