Comment # 5 on bug 981020 from Rainer Sabelka

I can also reproduce the crash with gpg2-2.1.12-1.1 and libgcrypt20-1.6.5-2.1
(see bt in the attachment).

I also ran valgrind. There is an "Invalid read" shortly before the crash:

~> valgrind gpg -k
==10542== Memcheck, a memory error detector
==10542== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10542== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==10542== Command: gpg -k
==10542== 
gpg: enabled debug flags: memstat
gpg: verwende Vertrauensmodell pgp
gpg: "Trust-DB" wird �berpr�ft
gpg: removing stale lockfile (created by 10456)
gpg: buffer shorter than subpacket
gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket
gpg: buffer shorter than subpacket
gpg: buffer shorter than subpacket
gpg: signature packet without keyid
gpg: buffer shorter than subpacket
==10542== Invalid read of size 4
==10542==    at 0x56016B0: _gcry_mpi_normalize.part.0 (mpi-bit.c:61)
==10542==    by 0x560173F: _gcry_mpi_normalize (mpi-bit.c:75)
==10542==    by 0x560173F: _gcry_mpi_get_nbits (mpi-bit.c:79)
==10542==    by 0x429D5D: encode_md_value (seskey.c:350)
==10542==    by 0x43F4AD: check_signature_end_simple (sig-check.c:461)
==10542==    by 0x44000E: check_signature_over_key_or_uid (sig-check.c:892)
==10542==    by 0x4406EF: check_key_signature2 (sig-check.c:1075)
==10542==    by 0x440784: check_key_signature (sig-check.c:686)
==10542==    by 0x429601: keyring_rebuild_cache (keyring.c:1554)
==10542==    by 0x426293: keydb_rebuild_caches (keydb.c:1775)
==10542==    by 0x46FD8E: validate_keys (trustdb.c:1904)
==10542==    by 0x444BB7: public_key_list (keylist.c:133)
==10542==    by 0x40B661: main (gpg.c:4100)
==10542==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==10542== 

gpg: signal Segmentation fault caught ... exiting
==10542== 
==10542== Process terminating with default action of signal 11 (SIGSEGV)
==10542==    at 0x5EEA908: raise (in /lib64/libc-2.23.so)
==10542==    by 0x5EEA98F: ??? (in /lib64/libc-2.23.so)
==10542==    by 0x56016AF: ??? (in /usr/lib64/libgcrypt.so.20.0.5)
==10542==    by 0x560173F: _gcry_mpi_normalize (mpi-bit.c:75)
==10542==    by 0x560173F: _gcry_mpi_get_nbits (mpi-bit.c:79)
==10542==    by 0x429D5D: encode_md_value (seskey.c:350)
==10542==    by 0x43F4AD: check_signature_end_simple (sig-check.c:461)
==10542==    by 0x44000E: check_signature_over_key_or_uid (sig-check.c:892)
==10542==    by 0x4406EF: check_key_signature2 (sig-check.c:1075)
==10542==    by 0x440784: check_key_signature (sig-check.c:686)
==10542==    by 0x429601: keyring_rebuild_cache (keyring.c:1554)
==10542==    by 0x426293: keydb_rebuild_caches (keydb.c:1775)
==10542==    by 0x46FD8E: validate_keys (trustdb.c:1904)
==10542== 
==10542== HEAP SUMMARY:
==10542==     in use at exit: 3,965,558 bytes in 57,887 blocks
==10542==   total heap usage: 140,986 allocs, 83,099 frees, 32,966,576 bytes
allocated
==10542== 
==10542== LEAK SUMMARY:
==10542==    definitely lost: 42 bytes in 2 blocks
==10542==    indirectly lost: 0 bytes in 0 blocks
==10542==      possibly lost: 0 bytes in 0 blocks
==10542==    still reachable: 3,965,516 bytes in 57,885 blocks
==10542==         suppressed: 0 bytes in 0 blocks
==10542== Rerun with --leak-check=full to see details of leaked memory
==10542== 
==10542== For counts of detected and suppressed errors, rerun with: -v
==10542== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Speicherzugriffsfehler (Speicherabzug geschrieben)


Note, that the crash doesn't occur if I delete .gnupg/trustdb.gpg
but as soon as I modify the trust level of any key gpg crashes again.