pgpdump 0.29 Endless Loop

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2016-030  
Product: pgpdump  
Maintainer: Kazu Yamamoto  
Affected Version(s): 0.29  
Tested Version(s): 0.29  
Vulnerability Type: Improper Input Validation (CWE-20)  
Risk Level: Low  
Solution Status: Fixed (in 0.30)   
Maintainer Notification: 2016-04-12  
Solution Date: 2016-04-12  
Public Disclosure: 2016-04-12  
CVE Reference: CVE-2016-4021  
Author of Advisory: Klaus Eisentraut, SySS GmbH, https://www.syss.de/advisories/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
"pgpdump" is a PGP packet visualizer which displays the packet format of   
OpenPGP (RFC 4880) and PGP version 2 (RFC 1991) (see [1]).  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
When pgpdump is run on specially crafted input, a Denial-of-Service  
condition occurs. The program runs with 100% CPU usage for an indefinite  
amount of time.  
  
This can be abused in scenarios where users can supply input to pgpdump,  
e.g. in http://www.pgpdump.net/. The SySS GmbH believes that such a  
scenario is rare.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The vulnerability can be reproduced by the following command:  
  
$ echo -en '\xa3\x03' | ./pgpdump  
Old: Compressed Data Packet(tag 8)  
Comp alg - BZip2(comp 3)  
[ ... endless loop ...]  
  
After issuing the command above, pgpdump 0.29 is running in an endless   
loop and consuming 100% CPU utilization. This happens because of missing  
error and EOF checking in the function read_binary() in the C file  
buffer.c.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The SySS GmbH provides the following patch which fixes the issue and was   
provided as pull request on github.com. [3]  
  
$ git diff origin/master HEAD  
diff --git a/buffer.c b/buffer.c  
index 2cafc57..d7de94c 100644  
- --- a/buffer.c  
+++ b/buffer.c  
@@ -81,8 +81,11 @@ line_not_blank(byte *s)  
private int  
read_binary(byte *p, unsigned int max)  
{  
- - /* errno */  
- - return fread(p, sizeof(byte), max, stdin);  
+ size_t ret = fread(p, sizeof(byte), max, stdin);  
+ if (feof(stdin) | ferror(stdin)) {  
+ warn_exit("error in read_binary, maybe preliminary EOF?");  
+ }  
+ return ret;  
}  
  
private int  
  
Furthermore, the maintainer Kazu Yamamoto was contacted via email.  
The modified patch has been merged by him and this vulnerability is now  
fixed in version 0.30.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2016-04-02: Vulnerability discovered  
2016-04-12: Patch released by the SySS GmbH  
2016-04-12: Vulnerability reported to the maintainer including patch  
2016-04-13: Modified Patch merged by maintainer Kazu Yamamoto   
2016-04-15: Public release of security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] GitHub repository of pgpdump  
https://github.com/kazu-yamamoto/pgpdump  
[2] SySS GmbH, SYSS-2016-030  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-030.txt  
[3] Pull Request on github  
https://github.com/kazu-yamamoto/pgpdump/pull/16   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Klaus Eisentraut of the SySS  
GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Eisentraut.asc  
Key ID: 0xBAC677AE  
Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJXEM/TAAoJENqwTbW6xneubBYQAJ1bQMH8wZvSE6nrK9oZA1gP  
sqGP6ik+gLPHnAu+7cJGDC4UeMaWbOIreAD3USRPH4BM2x+tkONiuD4+WC8yITne  
O95M1JknhJAAXBOXw+2aFAvZZrpqufW53gL0Lx7/9Vs4cyyVuc3xs8R087RRvLD6  
0+RXSUEM8IcPVmDgunlyHz77/BmNq/eQf7s3XdJPRc+1r8nQUvIfSCPtuqkC7E2K  
NzsoVNA7u9YAyZwPciP+u/NI+20sWbx8IvioD3UKXhySNCUbqErcl/mAED+3FlxP  
6VSAN40IDfvte1+jNaIuWJWONF3NetopUIpdXhq8j1qh9xyvN2KRzcDAkpt79qNn  
1kuiZkW80HGbnAt5AsAh64UfHxOsboFfBXt/1wD4dteVpbPZ8iVzXyYci4e2o7s1  
+3W5ukXQxo/35R5FSIsrzuJycrbDgr7oPZqijupHCWT4kLSGYZWrhExkHyNFmhUO  
j3nVj4Nx+civPSjQNlxhSxJguZ95DGuLJH8p1yn+HAmelq1J0h3U3AQkvnQecatF  
GspvF/69sfUO56y8pYyag6E2WylfKHjUKd4te5D7hvxo1vKFxxUONIqZ+wpJtMKo  
GMQAIMrRMm41WGCkNZjFd/ywDIbYueWRxmrpDpiweK/3YRK8EsuctHfSad7qMaW/  
E03dkOxB6DvuqAFQjLTd  
=5JJp  
-----END PGP SIGNATURE-----  
`