Heads-up libksba 1.6.3

Andreas Metzler ametzler at bebt.de
Tue Dec 20 17:34:12 GMT 2022 

On 2022-12-20 Andreas Metzler <ametzler at bebt.de> wrote:
> Hello,

> the new libksba features the fix for "another vulnerability related to
> CVE-2022-3515".

> This is https://dev.gnupg.org/T6284 but has not (yet?) got its own CVE
> number.

> Patch should apply cleanly to stable/oldstable. I will upload to sid
> this evening and can probaby also find time to propose an upload for
> stable.
[...]

Sid uploaded, debdiff for stable attached.

I will be offline until tomorrow in the evening. If you want to upload
this you can dput the signed changes file from
people.debian.org:~ametzler/KSBA.

cu Andreas
-------------- next part --------------
diff -Nru libksba-1.5.0/debian/changelog libksba-1.5.0/debian/changelog
--- libksba-1.5.0/debian/changelog	2022-10-17 18:36:34.000000000 +0200
+++ libksba-1.5.0/debian/changelog	2022-12-20 18:22:50.000000000 +0100
@@ -1,3 +1,11 @@
+libksba (1.5.0-3+deb11u2) bullseye-security; urgency=high
+
+  * 25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch from 1.6.3
+    release: Fix an integer overflow in the CRL signature parser.
+    https://dev.gnupg.org/T6284
+
+ -- Andreas Metzler <ametzler at debian.org>  Tue, 20 Dec 2022 18:22:50 +0100
+
 libksba (1.5.0-3+deb11u1) bullseye-security; urgency=high
 
   * 20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch from
diff -Nru libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch
--- libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch	1970-01-01 01:00:00.000000000 +0100
+++ libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch	2022-12-20 18:21:35.000000000 +0100
@@ -0,0 +1,73 @@
+From f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 22 Nov 2022 16:36:46 +0100
+Subject: [PATCH] Fix an integer overflow in the CRL signature parser.
+
+* src/crl.c (parse_signature): N+N2 now checked for overflow.
+
+* src/ocsp.c (parse_response_extensions): Do not accept too large
+values.
+(parse_single_extensions): Ditto.
+--
+
+The second patch is an extra safegourd not related to the reported
+bug.
+
+GnuPG-bug-id: 6284
+Reported-by: Joseph Surin, elttam
+---
+ src/crl.c  |  2 +-
+ src/ocsp.c | 12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/src/crl.c
++++ b/src/crl.c
+@@ -1347,11 +1347,11 @@ parse_signature (ksba_crl_t crl)
+     return err;
+   if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_BIT_STRING
+          && !ti.is_constructed) )
+     return gpg_error (GPG_ERR_INV_CRL_OBJ);
+   n2 = ti.nhdr + ti.length;
+-  if (n + n2 >= DIM(tmpbuf))
++  if (n + n2 >= DIM(tmpbuf) || (n + n2) < n)
+     return gpg_error (GPG_ERR_TOO_LARGE);
+   memcpy (tmpbuf+n, ti.buf, ti.nhdr);
+   err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length);
+   if (err)
+     return err;
+--- a/src/ocsp.c
++++ b/src/ocsp.c
+@@ -712,10 +712,16 @@ parse_response_extensions (ksba_ocsp_t o
+               || memcmp (ocsp->nonce, data, ti.length))
+             ocsp->bad_nonce = 1;
+           else
+             ocsp->good_nonce = 1;
+         }
++      if (ti.length > (1<<24))
++        {
++          /* Bail out on much too large objects.  */
++          err = gpg_error (GPG_ERR_BAD_BER);
++          goto leave;
++        }
+       ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
+       if (!ex)
+         {
+           err = gpg_error_from_syserror ();
+           goto leave;
+@@ -779,10 +785,16 @@ parse_single_extensions (struct ocsp_req
+       if (err)
+         goto leave;
+       err = parse_octet_string (&data, &datalen, &ti);
+       if (err)
+         goto leave;
++      if (ti.length > (1<<24))
++        {
++          /* Bail out on much too large objects.  */
++          err = gpg_error (GPG_ERR_BAD_BER);
++          goto leave;
++        }
+       ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
+       if (!ex)
+         {
+           err = gpg_error_from_syserror ();
+           goto leave;
diff -Nru libksba-1.5.0/debian/patches/series libksba-1.5.0/debian/patches/series
--- libksba-1.5.0/debian/patches/series	2022-10-17 18:36:34.000000000 +0200
+++ libksba-1.5.0/debian/patches/series	2022-12-20 18:22:17.000000000 +0100
@@ -1,3 +1,4 @@
 0001-fix-win32-linker.patch
 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch
 20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
+25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20221220/3aea1cd3/attachment-0001.sig>

More information about the Pkg-gnutls-maint mailing list