RNP-01-011 WP1 RNP: Potential overflow in librepgp due to invalid size check (Low)
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr78 fixed)
| Tracking | Status | |
|---|---|---|
| thunderbird_esr78 | --- | fixed |
People
(Reporter: wsmwk, Assigned: o.nickolay)
References
Details
(Keywords: sec-low, Whiteboard: [RNP][fixed-in-rnp])
While investigating the handling of streams in the RNP library, it was discovered that a function used to initialize output streams checks the length of the file-path incorrectly. This could enable attackers with control over the path parameter to write a NULLl character past an allocated buffer. Shown below is the affected source code in the RNP library.
Affected File:
rnp/src/librepgp/stream-common.cpp
Affected Code:
init_file_dest(pgp_dest_t *dst, const char *path, bool overwrite)
{
[...]
pgp_dest_file_param_t *param;
if (strlen(path) > sizeof(param->path)) {
RNP_LOG("path too long");
return RNP_ERROR_BAD_PARAMETERS;
}
[...]
param = (pgp_dest_file_param_t *) dst->param;
param->fd = fd;
strcpy(param->path, path);
[...]
In order to reject overly long paths, it is checked if the length of the parameter exceeds the size of the buffer the string is copied to. However, the check does not account for the additional NULL character that is appended by strcpy(). If the path's length matched the size of param->path, NULL character would be written past the buffer. It was not further investigated if the issue is relevant in a remote context. It is recommended to reject paths with a size equal to the size of param->path in order to ensure that the additional NULL character written by strcpy() fits in any case.
|
Assignee | |
Comment 1•4 years ago
|
||
Fixed via https://github.com/rnpgp/rnp/pull/1288
|
||
Updated•4 years ago
|
|
||
Comment 2•3 years ago
|
||
Fixed by bug 1675516
78.5.1
|
Reporter | |
Updated•3 years ago
|
Description
•