Bug 8572 - CVE-2012-6085: gnupg - memory access violations and public keyring database corruption
: CVE-2012-6085: gnupg - memory access violations and public keyring database c...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/531204/
: has_procedure mga2-32-OK MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-02 01:39 CET by Oden Eriksson
Modified: 2013-01-05 19:38 CET (History)
4 users (show)

See Also:
Source RPM: gnupg-1.4.12-1.mga2.src.rpm
CVE:


Attachments
Attaching PoC from dropbox link (9.55 KB, application/zip)
2013-01-02 02:34 CET, claire robinson
Details

Description Oden Eriksson 2013-01-02 01:39:38 CET
From oss-secuity:

On 01/01/2013 12:22 AM, Kurt Seifried wrote:
> On 12/28/2012 06:06 PM, KB Sriram wrote:
>> Versions of GnuPG <= 1.4.12 are vulnerable to memory access
>> violations and public keyring database corruption when importing
>> public keys that have been manipulated.
> 
>> An OpenPGP key can be fuzzed in such a way that gpg segfaults (or
>> has other memory access violations) when importing the key.
> 
>> The key may also be fuzzed such that gpg reports no errors when 
>> examining the key (eg: "gpg the_bad_key.pkr") but importing it
>> causes gpg to corrupt its public keyring database.
> 
>> The database corruption issue was first reported on Dec 6th,
>> through the gpg bug tracking system:
> 
>> https://bugs.g10code.com/gnupg/issue1455
> 
>> The subsequent memory access violation was discovered and reported
>> in a private email with the maintainer on Dec 20th.
> 
>> A zip file with keys that causes segfaults and other errors is 
>> available at
>> http://dl.dropbox.com/u/18852638/gnupg-issues/1455.zip and includes
>> a log file that demonstrates the issues [on MacOS X and gpg
>> 1.4.11]
> 
>> A new version of gpg -- 1.4.13 -- that addressed both these issues,
>> was independently released by the maintainer on Dec 20th.
> 
>> The simplest solution is to upgrade all gpg installs to 1.4.13.
> 
>> [Workarounds: A corrupted database may be recovered by manually 
>> copying back the pubring.gpg~ backup file. Certain errors may also
>> be prevented by never directly importing a key, but first just
>> "looking" at the key (eg: "gpg bad_key.pkr"). However, this is not
>> guaranteed to work in all cases; though upgrading to 1.4.13 does
>> work for the issues reported.]
> 
>> Discovery:
> 
>> The problem was discovered during a byte-fuzzing test of OpenPGP 
>> certificates for an unrelated application. Each byte in turn was 
>> replaced by a random byte, and the modified certificate fed to the 
>> application to check that it handled errors correctly. Gpg was used
>> as a control, but it itself turned out to have errors related to
>> packet parsing. The errors are generally triggered when fuzzing the
>> length field of OpenPGP packets, which cascades into subsequent
>> errors in certain situations.
> 
>> -kb
> 
> Has this been assigned a CVE identifier yet?

Spoke with upstream, confirmed things. Please use CVE-2012-6085 for this
issue.
Comment 1 claire robinson 2013-01-02 02:34:21 CET
Created attachment 3306 [details]
Attaching PoC from dropbox link
Comment 2 Oden Eriksson 2013-01-02 13:09:19 CET
Fixed packages has been submitted to mga2, updates_testing (gnupg-1.4.12-1.1.mga2, gnupg2-2.0.18-1.1.mga2).

I bumped to 1.4.13 yesterday (2013-01-01) and just submitted gnupg2-2.0.19-2.mga3 to cauldron.

Tested using the PoC. all OK.
Comment 3 Oden Eriksson 2013-01-02 13:13:20 CET
Proposed advisory:

Versions of GnuPG <= 1.4.12 are vulnerable to memory access violations and public keyring database corruption when importing public keys that have been manipulated.

An OpenPGP key can be fuzzed in such a way that gpg segfaults (or has other memory access violations) when importing the key.

References:

https://bugs.g10code.com/gnupg/issue1455
https://bugzilla.redhat.com/show_bug.cgi?id=891142
Comment 4 claire robinson 2013-01-02 17:28:57 CET
Testing partially complete mga2 32
gnupg2 needs a subrel bump Oden

Mageia release 2 (Official) for i586
------------------
Core Release
gnupg2-2.0.18-1.mga2
------------------
Core Updates
gnupg2-2.0.18-1.1.mga2
------------------
Core Updates Testing
gnupg2-2.0.18-1.1.mga2
------------------


With gnupg

Before
------
$ gpg --homedir=/tmp/gpg-box --list-key
gpg: packet(1) too short
gpg: keyring_get_keyblock: read error: invalid packet
gpg: keydb_get_keyblock failed: invalid keyring

$ gpg --homedir=/tmp/gpg-box --delete-key FC21FDDE
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: packet(1) too short
gpg: keyring_get_keyblock: read error: invalid packet
gpg: error reading keyblock: invalid keyring
gpg: FC21FDDE: delete key failed: invalid keyring

After
-----
$ gpg --homedir=/tmp/gpg-box --list-key
/tmp/gpg-box/pubring.gpg
------------------------
pub   4096s/FC21FDDE 2012-12-06
uid                  test

$ rm -rf /tmp/gpg-box


Repeated for gnupg2 using gpg2 instead of gpg with different results

Before
------
$ gpg2 --homedir=/tmp/gpg-box --list-keys
gpg: keyring `/tmp/gpg-box/pubring.gpg' created
gpg: /tmp/gpg-box/trustdb.gpg: trustdb created

$ gpg2 --homedir=/tmp/gpg-box --import fuzz-1617.pkr
gpg: keyring `/tmp/gpg-box/secring.gpg' created
gpg: key FC21FDDE: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

$ gpg2 --homedir=/tmp/gpg-box --list-key
$ gpg2 --homedir=/tmp/gpg-box --list-keys
$ gpg2 --homedir=/tmp/gpg-box --delete-key FC21FDDE
gpg (GnuPG) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: key "FC21FDDE" not found: Unknown system error
gpg: FC21FDDE: delete key failed: Unknown system error


Does gnupg2 need this patch?
Comment 5 David Walser 2013-01-02 18:21:55 CET
Notice the package release tag is the same in updates and updates_testing, so I'm guessing you didn't actually update gnupg2 before your after test for that.  This happened because the previous person who updated this package put the subrel line in a less than ideal place and Oden didn't see it.  I've fixed it and pushed gnupg2-2.0.18-1.2.mga2 to the build system.
Comment 6 David Walser 2013-01-02 18:22:41 CET
For reference, here's Mandriva's advisory for this issue:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2013:001
Comment 7 claire robinson 2013-01-02 18:25:20 CET
No 'After' test was yet performed for gnupg2 David. Please see again comment 4.
Comment 8 David Walser 2013-01-02 18:33:43 CET
(In reply to comment #7)
> No 'After' test was yet performed for gnupg2 David. Please see again comment 4.

Indeed.  Well the subrel still needed to be fixed, so the After test can be performed once it his the mirrors :o)  So, just to be clear, this update includes both the gnupg and gnupg2 SRPMS, as Oden noted in Comment 2.
Comment 9 claire robinson 2013-01-02 18:41:23 CET
It's still not clear whether gnupg2 actually requires this patch.

Assuming I used it correctly :D the initial test showed it refused to import the fuzzed pkr so may not be vulnerable and the advisory also says 'Versions of GnuPG <= 1.4.12 are vulnerable to memory access violations' where gnupg2 is 2.0.18
Comment 10 claire robinson 2013-01-02 19:09:03 CET
Found the solution, with gnupg2 it's necessary to use an extra option --allow-non-selfsigned-uid

Testing complete mga2 32

Confirming gnupg2 is vulnerable, could the advisory please reflect this.


Before
------
$ gpg2 --homedir=/tmp/gpg-box --allow-non-selfsigned-uid --import fuzz-1617.pkr
gpg: key FC21FDDE: accepted non self-signed user ID "test"
gpg: packet(1) too short
gpg: keyring_get_keyblock: read error: Invalid packet
gpg: keydb_get_keyblock failed: Invalid keyring
gpg: keydb_search failed: Invalid keyring
gpg: key FC21FDDE: public key "[User ID not found]" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg2 --homedir=/tmp/gpg-box --list-key
gpg: packet(1) too short
gpg: keyring_get_keyblock: read error: Invalid packet
gpg: keydb_get_keyblock failed: Invalid keyring

$ gpg2 --homedir=/tmp/gpg-box --delete-key FC21FDDE
gpg (GnuPG) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: packet(1) too short
gpg: keyring_get_keyblock: read error: Invalid packet
gpg: error reading keyblock: Invalid keyring
gpg: FC21FDDE: delete key failed: Invalid keyring

After
-----
$ gpg2 --homedir=/tmp/gpg-box --allow-non-selfsigned-uid --import fuzz-1617.pkr
gpg: keyring `/tmp/gpg-box/secring.gpg' created
gpg: key FC21FDDE: accepted non self-signed user ID "test"
gpg: key FC21FDDE: public key "test" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

$ gpg2 --homedir=/tmp/gpg-box --list-key
/tmp/gpg-box/pubring.gpg
------------------------
pub      0s/FC21FDDE 2012-12-06
uid                  test

$ gpg2 --homedir=/tmp/gpg-box --delete-key FC21FDDE
gpg (GnuPG) 2.0.18; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub     0s/FC21FDDE 2012-12-06 test

Delete this key from the keyring? (y/N) y
Comment 11 David Walser 2013-01-02 19:19:24 CET
Oh I really did misunderstand you.  When you asked if gnupg2 needed the patch I thought you were saying it appears it hadn't been patched.  You were trying to say the Before test look fine so you wanted to confirm it needed to be updated.  Sorry for the misunderstanding.  Nice job finding the needed option.

Advisory:
========================

Updated gnupg and gnupg2 packages fix security vulnerability:

Versions of GnuPG <= 1.4.12 and GnuPG2 <= 2.0.19 are vulnerable to memory
access violations and public keyring database corruption when importing
public keys that have been manipulated. An OpenPGP key can be fuzzed in
such a way that gpg segfaults (or has other memory access violations) when
importing the key (CVE-2012-6085).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085
https://bugs.g10code.com/gnupg/issue1455
https://bugzilla.redhat.com/show_bug.cgi?id=891142
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2013:001
========================

Updated packages in core/updates_testing:
========================
gnupg-1.4.12-1.1.mga2
gnupg2-2.0.18-1.2.mga2

from SRPMS:
gnupg-1.4.12-1.1.mga2.src.rpm
gnupg2-2.0.18-1.2.mga2.src.rpm
Comment 12 Dave Hodgins 2013-01-03 03:04:44 CET
Testing complete on Mageia 2 x86-64.

Thanks for the detailed testing procedure Claire.  One note, after unzipping
the attachment, "> gpg-box/pubring.gpg", to erase the existing bad key,
before testing.

Could someone from the sysadmin team push the srpms
gnupg-1.4.12-1.1.mga2.src.rpm
gnupg2-2.0.18-1.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated gnupg and gnupg2 packages fix security vulnerability:

Versions of GnuPG <= 1.4.12 and GnuPG2 <= 2.0.19 are vulnerable to memory
access violations and public keyring database corruption when importing
public keys that have been manipulated. An OpenPGP key can be fuzzed in
such a way that gpg segfaults (or has other memory access violations) when
importing the key (CVE-2012-6085).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085
https://bugs.g10code.com/gnupg/issue1455
https://bugzilla.redhat.com/show_bug.cgi?id=891142
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2013:001

https://bugs.mageia.org/show_bug.cgi?id=8572
Comment 13 David Walser 2013-01-03 20:22:24 CET
Patches added to Mageia 1 SVN.
Comment 14 Thomas Backlund 2013-01-05 19:38:46 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0003

Note You need to log in before you can comment on or make changes to this bug.