From 9ef4d8d890939ad97e8fa1ea57209bff93a1a66f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 30 Jul 2014 11:04:55 +0200 Subject: [CVE-2014-3564] Fix possible realloc overflow for gpgsm and uiserver engines. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/engine-gpgsm.c (status_handler): * src/engine-uiserver.c (status_handler): -- After a realloc (realloc is also used for initial alloc) the allocated size if the buffer is not correctly recorded. Thus an overflow can be introduced by receiving data with different line lengths in a specific order. This is not easy exploitable because libassuan constructs the line. However a crash has been reported and thus it might be possible to constructs an exploit. Change-Id: I6d7bdc267f2e45be0ccd47fa4b68e0c358370e91 CVE-id: CVE-2014-3564 Reported-by: Tomáš Trnka Signed-off-by: DongHun Kwak --- src/engine-gpgsm.c | 2 +- src/engine-uiserver.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c index 0620458..f35e1f7 100644 --- a/src/engine-gpgsm.c +++ b/src/engine-gpgsm.c @@ -834,7 +834,7 @@ status_handler (void *opaque, int fd) else { *aline = newline; - gpgsm->colon.attic.linesize += linelen + 1; + gpgsm->colon.attic.linesize = *alinelen + linelen + 1; } } if (!err) diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c index c705a4b..87ae162 100644 --- a/src/engine-uiserver.c +++ b/src/engine-uiserver.c @@ -699,7 +699,7 @@ status_handler (void *opaque, int fd) else { *aline = newline; - uiserver->colon.attic.linesize += linelen + 1; + uiserver->colon.attic.linesize = *alinelen + linelen + 1; } } if (!err) -- cgit v1.2.3