GnuPG uses data structures called filters to process
OpenPGP messages. These filters are used in a similar
way as a pipelines in the shell. For communication
between these filters context structures are used. These
are usually allocated on the stack and passed to the
filter functions. At most places the OpenPGP data stream
fed into these filters is closed before the context
structure gets deallocated. While decrypting encrypted
packets, this may not happen in all cases and the filter
may use a void contest structure filled with garbage. An
attacker may control this garbage. The filter context
includes another context used by the low-level decryption
to access the decryption algorithm. This is done using a
function pointer. By carefully crafting an OpenPGP
message, an attacker may control this function pointer and
call an arbitrary function of the process. Obviously an
exploit needs to prepared for a specific version,
compiler, libc, etc to be successful - but it is
definitely doable.
Fixing this is obvious: We need to allocate the context on
the heap and use a reference count to keep it valid as
long as either the controlling code or the filter code
needs it.
We have checked all other usages of such a stack based
filter contexts but fortunately found no other vulnerable
places. This allows to release a relatively small patch.
However, for reasons of code cleanness and easier audits
we will soon start to change all these stack based filter
contexts to heap based ones.