Details about 12 previously unknown and uncorrected vulnerabilities in the GnuPG (GNU Privacy Guard) toolkit were revealed at the 39C3 (Chaos Communication Congress) conference in Germany. GnuPG provides OpenPGP and S/MIME standards-compliant utilities for data encryption, electronic signatures, key management, and access to public key stores. The vulnerabilities allow bypassing digital signature verification and achieving code execution when processing encrypted data in ASCII representation (ASCII Armor). Working prototypes of exploits and patches will be published later, and CVE identifiers have not yet been assigned.
These vulnerabilities are a result of errors in the code for data processing and format parsing, unrelated to flaws in cryptographic algorithms. For example, a parser error leads to the failure in determining the actually signed data, creating conditions where the data being verified may not match the signed data, allowing attackers to replace plaintext without accessing the private key.
Identified problems include:
- Error in the parser code for encrypted data distributed in ASCII-Armor format, leading to writing outside the memory buffer boundary. This vulnerability may lead to code execution when processing specially formatted data in gpg. The issue lies in the armor_filter() function due to a double increment in the “n” counter in the “for” loop, causing an extra byte to be written outside the buffer.
- Ability to create or overwrite any file within current permissions due to incorrect processing of the “filename” field in the data packet. This can be exploited to achieve code execution on the system when the recipient executes specific commands to view files sent by the attacker.