diff options
author | salo <salo> | 2006-06-24 14:20:29 +0000 |
---|---|---|
committer | salo <salo> | 2006-06-24 14:20:29 +0000 |
commit | 29fed7292b09066cbd296b6fb7013f72b1d5810c (patch) | |
tree | 673699baffb395a61eead08b17ec34e9cd5ad49c /security/gnupg/patches | |
parent | 070a6159d99528d70aa0e9c9cb3b5764c5168021 (diff) | |
download | pkgsrc-29fed7292b09066cbd296b6fb7013f72b1d5810c.tar.gz |
Security fix for CVE-2006-3082:
"parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions,
allows remote attackers to cause a denial of service (gpg crash) and
possibly overwrite memory via a message packet with a large length,
which could lead to an integer overflow, as demonstrated using the
--no-armor option."
Patch from GnuPG CVS repository.
Bump PKGREVISION.
Diffstat (limited to 'security/gnupg/patches')
-rw-r--r-- | security/gnupg/patches/patch-ba | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/security/gnupg/patches/patch-ba b/security/gnupg/patches/patch-ba new file mode 100644 index 00000000000..2027b44108c --- /dev/null +++ b/security/gnupg/patches/patch-ba @@ -0,0 +1,27 @@ +$NetBSD: patch-ba,v 1.1 2006/06/24 14:20:29 salo Exp $ + +Security fix for CVE-2006-3082, from GnuPG CVS repository. + +--- g10/parse-packet.c.orig 2005-12-06 14:22:19.000000000 +0100 ++++ g10/parse-packet.c 2006-06-24 16:09:34.000000000 +0200 +@@ -1972,6 +1972,20 @@ + { + byte *p; + ++ /* Cap the size of a user ID at 2k: a value absurdly large enough ++ that there is no sane user ID string (which is printable text ++ as of RFC2440bis) that won't fit in it, but yet small enough to ++ avoid allocation problems. A large pktlen may not be ++ allocatable, and a very large pktlen could actually cause our ++ allocation to wrap around in xmalloc to a small number. */ ++ ++ if(pktlen>2048) ++ { ++ log_error("packet(%d) too large\n", pkttype); ++ iobuf_skip_rest(inp, pktlen, 0); ++ return G10ERR_INVALID_PACKET; ++ } ++ + packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen); + packet->pkt.user_id->len = pktlen; + packet->pkt.user_id->ref=1; |