GnuPG Memory Corruption Vulnerability in Armor Parsing Component Allowing Out-of-Bounds Writes

A memory corruption vulnerability has been identified in GnuPG versions through 2.4.8, specifically within the armor_filter function of the armor component. The issue arises from a faulty double increment of an index variable, leading to an out-of-bounds write when processing crafted input. This vulnerability exploits GnuPG's ASCII-armor parsing, where the input can be manipulated to trigger the bug, potentially causing memory corruption that could be exploited for remote code execution.

Impact

Exploitation of this vulnerability causes memory corruption in the GnuPG process, with the potential for remote code execution.

Reproduction

The vulnerability can be reproduced by creating a PGP message that is intentionally malformed. This involves crafting a message that includes valid ASCII armor, such as 'BEGIN PGP MESSAGE', followed by a binary payload. The key is to manipulate the message so that it is processed by GnuPG in a way that triggers the armor parsing bug. This can be done by ensuring that the crafted message is interpreted as armored data, which then allows the exploit to bypass normal checks and cause the double-increment error in the armor_filter function.

Remediation

Users can update to GnuPG version 2.5.14 or later, where this vulnerability has been fixed.