On Mon, 23 Mar 2015 11:05, ventur...@gmail.com said:
> Are the applicable parts of the issues highlighted here:
> http://www.openwall.com/lists/oss-security/2015/02/13/14
> Backported to 2.0.27?
Yes, all four:
1. 39978487863066e59bb657f5fe4e8baab510da7e
commit 7e12ec4c7d6df29a7d7935399fccd2594ebb4a7e
Author: Werner Koch <w...@gnupg.org>
Date: Thu Feb 12 18:52:07 2015 +0100
gpg: Fix a NULL-deref due to empty ring trust packets.
* g10/parse-packet.c (parse_trust): Always allocate a packet.
--
Reported-by: Hanno Böck <ha...@hboeck.de>
Signed-off-by: Werner Koch <w...@gnupg.org>
(back ported from commit 39978487863066e59bb657f5fe4e8baab510da7e)
2. 0835d2f44ef62eab51fce6a927908f544e01cf8f
commit 8da836e76f1349f4587d1bb74864b11dde7b8a39
Author: Werner Koch <w...@gnupg.org>
Date: Thu Feb 12 18:54:17 2015 +0100
gpg: Fix a NULL-deref in export due to invalid packet lengths.
* g10/build-packet.c (write_fake_data): Take care of a NULL stored as
opaque MPI.
--
Reported-by: Hanno Böck <ha...@hboeck.de>
(back ported from commit 0835d2f44ef62eab51fce6a927908f544e01cf8f)
3. 0f71a721ccd7ab9e40b8b6b028b59632c0cc648
commit 824d88ac51b4d680f06e68f0879a7c1ec03cb2ba
Author: Werner Koch <w...@gnupg.org>
Date: Thu Feb 12 18:58:36 2015 +0100
gpg: Prevent an invalid memory read using a garbled keyring.
* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
--
The keyring DB code did not reject packets which don't belong into a
keyring. If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).
We now skip all packets which are not allowed in a keyring.
Reported-by: Hanno Böck <ha...@hboeck.de>
(back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)
4. 2183683bd633818dd031b090b5530951de76f392
commit 3627123dc8fdc551caca1c7944713fbf01feccf6
Author: Werner Koch <w...@gnupg.org>
Date: Thu Feb 12 20:34:44 2015 +0100
Use inline functions to convert buffer data to scalars.
* include/host2net.h (buf16_to_ulong, buf16_to_uint): New.
(buf16_to_ushort, buf16_to_u16): New.
(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.
--
This fixes sign extension on shift problems. Hanno Böck found a case
with an invalid read due to this problem. To fix that almost all uses
of "<< 24" and "<< 8" are changed by this patch to use an inline
function from host2net.h.
(back ported from commit 2183683bd633818dd031b090b5530951de76f392)
and releases with 2.0.27
commit 8d47e6e5235b6ecb41baf52865c5837c1de962b5
Author: Werner Koch <w...@gnupg.org>
Date: Wed Feb 18 14:10:57 2015 +0100
Release 2.0.27
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
