File gpg2-2.0.24-compressed-data-infinite-loop.patch of Package gpg2.openSUSE_13.1_Update

From: Werner Koch <wk@gnupg.org>
Date: Fri, 20 Jun 2014 08:39:26 +0000 (+0200)
Subject: gpg: Avoid infinite loop in uncompressing garbled packets.
Upstream: Committed
References: bnc#884130 CVE-2014-4617 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a;hp=23191d7851eae2217ecdac6484349849a24fd94a

gpg: Avoid infinite loop in uncompressing garbled packets.

* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--

A packet like (a3 01 5b ff) leads to an infinite loop.  Using
--max-output won't help if it is a partial packet.  This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.

---

---
 g10/compress.c |   21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

Index: gnupg-2.0.22/g10/compress.c
===================================================================
--- gnupg-2.0.22.orig/g10/compress.c	2014-06-24 23:50:50.000000000 +0100
+++ gnupg-2.0.22/g10/compress.c	2014-06-24 23:52:46.000000000 +0100
@@ -137,7 +137,7 @@ init_uncompress( compress_filter_context
      * PGP uses a windowsize of 13 bits. Using a negative value for
      * it forces zlib not to expect a zlib header.  This is a
      * undocumented feature Peter Gutmann told me about.
-     *    
+     *
      * We must use 15 bits for the inflator because CryptoEx uses 15
      * bits thus the output would get scrambled w/o error indication
      * if we would use 13 bits.  For the uncompressing this does not
@@ -161,7 +161,8 @@ do_uncompress( compress_filter_context_t
 	       IOBUF a, size_t *ret_len )
 {
     int zrc;
-    int rc=0;
+    int rc = 0;
+    int leave = 0;
     size_t n;
     int nread, count;
     int refill = !zs->avail_in;
@@ -179,13 +180,14 @@ do_uncompress( compress_filter_context_t
 	    nread = iobuf_read( a, zfx->inbuf + n, count );
 	    if( nread == -1 ) nread = 0;
 	    n += nread;
-	    /* If we use the undocumented feature to suppress
-	     * the zlib header, we have to give inflate an
-	     * extra dummy byte to read */
-	    if( nread < count && zfx->algo == 1 ) {
-		*(zfx->inbuf + n) = 0xFF; /* is it really needed ? */
-		zfx->algo1hack = 1;
+	    /* Algo 1 has no zlib header which requires us to to give
+	     * inflate an extra dummy byte to read. To be on the safe
+	     * side we allow for up to 4 ff bytes.  */
+	    if( nread < count && zfx->algo == 1 && zfx->algo1hack < 4) {
+		*(zfx->inbuf + n) = 0xFF;
+		zfx->algo1hack++;
 		n++;
+                leave = 1;
 	    }
 	    zs->avail_in = n;
 	}
@@ -205,7 +207,8 @@ do_uncompress( compress_filter_context_t
 	    else
 		log_fatal("zlib inflate problem: rc=%d\n", zrc );
 	}
-    } while( zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR );
+    } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR
+             && !leave);
 
     *ret_len = zfx->outbufsize - zs->avail_out;
     if( DBG_FILTER )