View Issue Details

IDProjectCategoryView StatusLast Update
0001431Main CAcert WebsiteGPG/PGPpublic2018-06-11 12:13
ReporterwytzeAssigned ToGuKKDevel 
PriorityurgentSeveritycrashReproducibilityalways
Status needs review & testingResolutionopen 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Product Version2017 Q4 
Target Version2017 Q4Fixed in Version 
Summary0001431: GPG/PGP signing request is not properly checked for images
DescriptionA GPG/PGP signing request submitted to CAcert should not contain an image (as stated on the submission page). However, the code which validates and massages the signing request, does not properly check for this. As a result, it is possible to (accidentally or deliberately) create a very large signing request, by including a large image. Such requests will cause the communication between the web frontend and the signer machine to fail, and *all* certificate signing is blocked from that moment on.
Steps To ReproduceI have not attempted to reproduce the problem, but there is historic evidence present on the production servers. Look for gpg requests 23644, 23645 or 23656 (they are identical). The first one caused a blockade of all CAcert signing from Fridat 16.02.2018 23:01 until Sunday 18.02.2018 16:00, when the problem was recognised and "remedied" by moving the signing request to the side. This particular signing request contained an image of 955207 bytes.
Additional InformationDue to the nature of this problem, any CAcert user with sufficient points to submit a GPG signing request, is able to block all signing operations. Therefore this bug will be set to private until a solution can be implemented.

In my view there are two problems to be solved here:
1. GPG signing requests with images should be rejected or filtered (probably not very difficult).
2. The communcation process between web frontend and signer should be resistent against huge requests: either handle them correctly, or reject them beforehand (probably difficult).
If issue #1 is solved, the priority for solving issue 0000002 can be lowered.
TagsGPG
Reviewed by
Test Instructions

Issue History

Date Modified Username Field Change
2018-02-19 09:10 wytze New Issue
2018-02-19 09:10 wytze Tag Attached: GPG
2018-02-28 09:43 dastrath Assigned To => GuKKDevel
2018-03-05 14:32 GuKKDevel Note Added: 0005577
2018-03-11 11:12 GuKKDevel Status new => fix available
2018-04-05 14:03 GuKKDevel Status fix available => needs review & testing
2018-04-05 14:05 GuKKDevel Status needs review & testing => fix available
2018-04-05 14:05 GuKKDevel View Status private => public
2018-06-11 12:13 GuKKDevel Status fix available => needs review & testing