security: CWE-674: Limit embedded signature recursion — VC-53740

[torresashjiancyber]

Summary

Fix uncontrolled recursion vulnerability in OpenPGP embedded signature parsing that could cause stack overflow with deeply nested signature chains.

Finding

CWE-674 (Uncontrolled Recursion) / CWE-400 (Uncontrolled Resource Consumption)

CVSS: 6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

pgpdump processes OpenPGP Signature Packets that can embed other signature packets (via the Embedded Signature subpacket type 32) without limiting recursion depth. An attacker can craft a deeply nested signature packet (e.g., 10000 levels deep) that causes a stack overflow when parsed.

The recursive call chain:

Signature_Packet() → new_Signature_Packet() → parse_signature_subpacket() → embedded_signature() → Signature_Packet()

Remediation

Added maximum recursion depth enforcement for signature packet parsing:

• Introduced MAX_SIG_RECURSION_DEPTH constant set to 10 levels
• Added signature_recursion_depth counter to track current depth
• Modified Signature_Packet() to increment depth on entry, decrement on exit
• Return clear error message when depth limit exceeded instead of crashing

This prevents stack overflow while allowing legitimate nested signatures (10 levels is more than sufficient for real-world use cases).

Verification

• Code review confirms recursion depth is properly bounded
• Error handling ensures clean abort without stack overflow
• Fix is minimal and focused on the vulnerability

Ticket: VC-53740