FreeBSD : gnupg -- remotely controllable function pointer (4db1669c-8589-11db-ac4f-02e081235dab)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.

Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Werner Koch reports :

GnuPG uses data structures called filters to process OpenPGP messages.
These filters are used in a similar way as a pipelines in the shell.
For communication between these filters context structures are used.
These are usually allocated on the stack and passed to the filter
functions. At most places the OpenPGP data stream fed into these
filters is closed before the context structure gets deallocated. While
decrypting encrypted packets, this may not happen in all cases and the
filter may use a void contest structure filled with garbage. An
attacker may control this garbage. The filter context includes another
context used by the low-level decryption to access the decryption
algorithm. This is done using a function pointer. By carefully
crafting an OpenPGP message, an attacker may control this function
pointer and call an arbitrary function of the process. Obviously an
exploit needs to prepared for a specific version, compiler, libc, etc
to be successful - but it is definitely doable.

Fixing this is obvious: We need to allocate the context on the heap
and use a reference count to keep it valid as long as either the
controlling code or the filter code needs it.

We have checked all other usages of such a stack based filter contexts
but fortunately found no other vulnerable places. This allows to
release a relatively small patch. However, for reasons of code
cleanness and easier audits we will soon start to change all these
stack based filter contexts to heap based ones.

See also :

Solution :

Update the affected package.

Risk factor :

Critical / CVSS Base Score : 10.0

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 23794 (freebsd_pkg_4db1669c858911dbac4f02e081235dab.nasl)

Bugtraq ID:

CVE ID: CVE-2006-6235

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now