Advisory ID: SYSS-2016-030 Product: pgpdump Maintainer: Kazu Yamamoto Affected Version(s): 0.29 Tested Version(s): 0.29 Vulnerability Type: Improper Input Validation (CWE-20) Risk Level: Low Solution Status: Fixed (in 0.30) Maintainer Notification: 2016-04-12 Solution Date: 2016-04-12 Public Disclosure: 2016-04-12 CVE Reference: CVE-2016-4021 Author of Advisory: Klaus Eisentraut, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: "pgpdump" is a PGP packet visualizer which displays the packet format of OpenPGP (RFC 4880) and PGP version 2 (RFC 1991) (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When pgpdump is run on specially crafted input, a Denial-of-Service condition occurs. The program runs with 100% CPU usage for an indefinite amount of time. This can be abused in scenarios where users can supply input to pgpdump, e.g. in http://www.pgpdump.net/. The SySS GmbH believes that such a scenario is rare. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The vulnerability can be reproduced by the following command: $ echo -en '\xa3\x03' | ./pgpdump Old: Compressed Data Packet(tag 8) Comp alg - BZip2(comp 3) [ ... endless loop ...] After issuing the command above, pgpdump 0.29 is running in an endless loop and consuming 100% CPU utilization. This happens because of missing error and EOF checking in the function read_binary() in the C file buffer.c. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The SySS GmbH provides the following patch which fixes the issue and was provided as pull request on github.com. [3] $ git diff origin/master HEAD diff --git a/buffer.c b/buffer.c index 2cafc57..d7de94c 100644 --- a/buffer.c +++ b/buffer.c @@ -81,8 +81,11 @@ line_not_blank(byte *s) private int read_binary(byte *p, unsigned int max) { - /* errno */ - return fread(p, sizeof(byte), max, stdin); + size_t ret = fread(p, sizeof(byte), max, stdin); + if (feof(stdin) | ferror(stdin)) { + warn_exit("error in read_binary, maybe preliminary EOF?"); + } + return ret; } private int Furthermore, the maintainer Kazu Yamamoto was contacted via email. The modified patch has been merged by him and this vulnerability is now fixed in version 0.30. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-04-02: Vulnerability discovered 2016-04-12: Patch released by the SySS GmbH 2016-04-12: Vulnerability reported to the maintainer including patch 2016-04-13: Modified Patch merged by maintainer Kazu Yamamoto 2016-04-15: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] GitHub repository of pgpdump https://github.com/kazu-yamamoto/pgpdump [2] SySS GmbH, SYSS-2016-030 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-030.txt [3] Pull Request on github https://github.com/kazu-yamamoto/pgpdump/pull/16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Klaus Eisentraut of the SySS GmbH. E-Mail: klaus.eisentraut@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Eisentraut.asc Key ID: 0xBAC677AE Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en