FreeBSD : gnupg -- remotely controllable function pointer (4db1669c-8589-11db-ac4f-02e081235dab)

critical Nessus Plugin ID 23794

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Werner Koch reports :

GnuPG uses data structures called filters to process OpenPGP messages.
These filters are used in a similar way as a pipelines in the shell.
For communication between these filters context structures are used.
These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void contest structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. Obviously an exploit needs to prepared for a specific version, compiler, libc, etc to be successful - but it is definitely doable.

Fixing this is obvious: We need to allocate the context on the heap and use a reference count to keep it valid as long as either the controlling code or the filter code needs it.

We have checked all other usages of such a stack based filter contexts but fortunately found no other vulnerable places. This allows to release a relatively small patch. However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones.

Solution

Update the affected package.

See Also

https://lists.gnupg.org/pipermail/gnupg-announce/2006q4/000246.html

http://www.nessus.org/u?aa061560

Plugin Details

Severity: Critical

ID: 23794

File Name: freebsd_pkg_4db1669c858911dbac4f02e081235dab.nasl

Version: 1.14

Type: local

Published: 12/11/2006

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:gnupg, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 12/7/2006

Vulnerability Publication Date: 12/4/2006

Reference Information

CVE: CVE-2006-6235

Secunia: 23245