| commit f0b33b6fb8e0586e9584a7a409dcc31263776a67 |
| Author: Werner Koch <wk@gnupg.org> |
| Date: Thu Dec 20 09:43:41 2012 +0100 |
| |
| gpg: Import only packets which are allowed in a keyblock. |
| |
| * g10/import.c (valid_keyblock_packet): New. |
| (read_block): Store only valid packets. |
| -- |
| |
| A corrupted key, which for example included a mangled public key |
| encrypted packet, used to corrupt the keyring. This change skips all |
| packets which are not allowed in a keyblock. |
| |
| GnuPG-bug-id: 1455 |
| |
| (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa) |
| |
| Upstream-Status: Backport |
| CVE: CVE-2012-6085 |
| |
| Signed-off-by: Saul Wold <sgw@linux.intel.com> |
| |
| diff --git a/g10/import.c b/g10/import.c |
| index bfe02eb..a57b32e 100644 |
| --- a/g10/import.c |
| +++ b/g10/import.c |
| @@ -384,6 +384,27 @@ import_print_stats (void *hd) |
| } |
| |
| |
| +/* Return true if PKTTYPE is valid in a keyblock. */ |
| +static int |
| +valid_keyblock_packet (int pkttype) |
| +{ |
| + switch (pkttype) |
| + { |
| + case PKT_PUBLIC_KEY: |
| + case PKT_PUBLIC_SUBKEY: |
| + case PKT_SECRET_KEY: |
| + case PKT_SECRET_SUBKEY: |
| + case PKT_SIGNATURE: |
| + case PKT_USER_ID: |
| + case PKT_ATTRIBUTE: |
| + case PKT_RING_TRUST: |
| + return 1; |
| + default: |
| + return 0; |
| + } |
| +} |
| + |
| + |
| /**************** |
| * Read the next keyblock from stream A. |
| * PENDING_PKT should be initialzed to NULL |
| @@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) |
| } |
| in_cert = 1; |
| default: |
| - if( in_cert ) { |
| + if (in_cert && valid_keyblock_packet (pkt->pkttype)) { |
| if( !root ) |
| root = new_kbnode( pkt ); |
| else |