Full Disclosure mailing list archives
gnupg diff available
From: Felix von Leitner <felix-fulldisclosure () fefe de>
Date: Mon, 15 Jan 2007 14:59:34 +0100
Hi! I did a gnupg audit recently. I was, frankly, appalled by the code quality. It is a desert of pointer manipulation, string copying, memcpy and strcpy are used all over the place, and sprintf, too. You can find my diff at http://dl.fefe.de/gnupg.dif Please note that a) I might have missed something b) I don't claim all fixed parts were exploitable. My attention span is quite short. If I couldn't figure out where data is coming from in 30 seconds, I assumed it was user settable and put a fix in. c) I focused on write accesses. I probably missed a few out of bounds read accesses. Crashing seems to be an acceptable error handling mechanism in gnupg (there are already lots of assert() and BUG() calls) so I also used assert() in most cases. People are always saying how free and open source software is more secure because so many eyes look at it... well, I didn't see much evidence of that in gnupg. Please do use some of your time to actually look at source code and find bugs. I tried to give Werner Koch (the author) advance warning, but he was neither helpful nor did he appear interested. So please don't make 0-days out of this. Thank you, Felix _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- gnupg diff available Felix von Leitner (Jan 15)
- Re: gnupg diff available Matthew Flaschen (Jan 24)