Cryptography Breakdown

| No Comments | No TrackBacks
brokenlock_fristle.jpgThis week's 'security news that fell through the cracks' is a vulnerability in GnuPG: CVE-2013-4402 is a curious little bug that allows a maliciously-formatted PGP message to consume infinite resources on a computer system.

The idea that there are parsing bugs in OpenPGP messages and keys shouldn't be a terrible surprise.  The specification defining the format for an OpenPGP message is a touch complex, and plenty of implementations get things wrong.

Take the PGPDump utility, which has the sole purpose of parsing OpenPGP messages.  It makes the unfortunate decision to use signed integers throughout its packet parsing, to ill effect.  To see some problems for yourself, run pgpdump on Manual.gpg, a maliciously-crafted document (don't worry, it isn't terribly malicious -- it simply contains a large size in Field 1, which results in pgpdump reporting a negative size for the file stream).  It is meant mostly as an example of why defining complex file formats and implementing the parsing and generation engines in the C language can be a daunting task.

The GnuPG programmers are crazy smart, plenty paranoid, and are way better C coders than i could ever hope to be.  They are humans.  I'm sure they do their best to secure the tool.  We remain hopeful that this little bug will turn a lot of bug-hunters eyes to GnuPG to squash any bugs that might be lingering around the codebase.

No TrackBacks

TrackBack URL:

Leave a comment

About this Entry

This page contains a single entry by giminy published on October 10, 2013 10:12 PM.

Carte Blanche: A Social Experiment was the previous entry in this blog.

Introducing the Modbus VCR is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.