Vigil@nce - GnuPG: infinite loop of Truncated zlib
July 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an encrypted message with truncated compressed data, to generate an infinite loop in GnuPG, in order to trigger a denial of service.
Impacted products: Debian, Fedora, GnuPG, openSUSE, Slackware, Ubuntu
Creation date: 24/06/2014
DESCRIPTION OF THE VULNERABILITY
The OpenPGP format compresses (zlib algorithm) the message before encrypting it.
The GnuPG product uncompresses the decrypted message. However, if compressed data are too short, the do_uncompress() function of the g10/compress.c file continues indefinitely to wait for these data.
An attacker can therefore send an encrypted message with truncated compressed data, to generate an infinite loop in GnuPG, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN