| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Jan 2007 14:59:34 +0100
From: Felix von Leitner <felix-fulldisclosure@...e.de>
To: full-disclosure@...ts.grok.org.uk
Subject: gnupg diff available
Hi!
I did a gnupg audit recently. I was, frankly, appalled by the code
quality. It is a desert of pointer manipulation, string copying, memcpy
and strcpy are used all over the place, and sprintf, too.
You can find my diff at
http://dl.fefe.de/gnupg.dif
Please note that
a) I might have missed something
b) I don't claim all fixed parts were exploitable. My attention span
is quite short. If I couldn't figure out where data is coming from
in 30 seconds, I assumed it was user settable and put a fix in.
c) I focused on write accesses. I probably missed a few out of bounds
read accesses. Crashing seems to be an acceptable error handling
mechanism in gnupg (there are already lots of assert() and BUG()
calls) so I also used assert() in most cases.
People are always saying how free and open source software is more
secure because so many eyes look at it... well, I didn't see much
evidence of that in gnupg. Please do use some of your time to actually
look at source code and find bugs.
I tried to give Werner Koch (the author) advance warning, but he was
neither helpful nor did he appear interested. So please don't make
0-days out of this.
Thank you,
Felix
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists