Fix possible realloc overflow for gpgsm and uiserver engines.
authorWerner Koch <wk@gnupg.org>
Wed, 30 Jul 2014 09:04:55 +0000 (11:04 +0200)
committerWerner Koch <wk@gnupg.org>
Wed, 30 Jul 2014 09:04:55 +0000 (11:04 +0200)
* src/engine-gpgsm.c (status_handler):
* src/engine-uiserver.c (status_handler):
--

After a realloc (realloc is also used for initial alloc) the allocated
size if the buffer is not correctly recorded.  Thus an overflow can be
introduced by receiving data with different line lengths in a specific
order.  This is not easy exploitable because libassuan constructs the
line.  However a crash has been reported and thus it might be possible
to constructs an exploit.

CVE-id: CVE-2014-3564
Reported-by: Tomáš Trnka
NEWS
src/engine-gpgsm.c
src/engine-uiserver.c

diff --git a/NEWS b/NEWS
index c6a8f52..ff75e9c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 Noteworthy changes in version 1.5.1 (unreleased) [C__/A__/R_]
 -------------------------------------------------------------
 
 Noteworthy changes in version 1.5.1 (unreleased) [C__/A__/R_]
 -------------------------------------------------------------
 
+ * Fix possible overflow in gpgsm and uiserver engines.
+   [CVE-2014-35640]
+
  * Add support for GnuPG 2.1's --with-secret option.
 
  * Interface changes relative to the 1.5.0 release:
  * Add support for GnuPG 2.1's --with-secret option.
 
  * Interface changes relative to the 1.5.0 release:
index 8ec1598..3a83757 100644 (file)
@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
              else
                {
                  *aline = newline;
              else
                {
                  *aline = newline;
-                 gpgsm->colon.attic.linesize += linelen + 1;
+                 gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
                }
            }
          if (!err)
                }
            }
          if (!err)
index 2738c36..a7184b7 100644 (file)
@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
              else
                {
                  *aline = newline;
              else
                {
                  *aline = newline;
-                 uiserver->colon.attic.linesize += linelen + 1;
+                 uiserver->colon.attic.linesize = *alinelen + linelen + 1;
                }
            }
          if (!err)
                }
            }
          if (!err)