Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Thomas Arendsen Hein thomas at intevation.de
Mon Oct 17 13:34:44 BST 2022 

Package: libksba8
Version: 1.3.5-2
Severity: grave
Tags: security patch upstream
Justification: user security hole

Dear Maintainer,

https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
announces an integer overflow that may be used for remote code
execution in versions of libksba before 1.6.2, i.e.
in currently in all Debian versions except for unstable, i.e.
bookwork, bullseye, buster (LTS)

https://security-tracker.debian.org/tracker/CVE-2022-3515
still shows "Description RESERVED".

Upstream bug report: https://dev.gnupg.org/T6230

A patch is available from
https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b


Patch from git://git.gnupg.org/libksba:

commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
Author: Werner Koch <wk at gnupg.org>
Date:   Wed Oct 5 14:19:06 2022 +0200

    Detect a possible overflow directly in the TLV parser.
    
    * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
    used sum.
    --
    
    It is quite common to have checks like
    
        if (ti.nhdr + ti.length >= DIM(tmpbuf))
           return gpg_error (GPG_ERR_TOO_LARGE);
    
    This patch detects possible integer overflows immmediately when
    creating the TI object.
    
    Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929

diff --git a/src/ber-help.c b/src/ber-help.c
index 81c31ed..56efb6a 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
       ti->length = len;
     }
 
+  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+    {
+      ti->err_string = "header+length would overflow";
+      return gpg_error (GPG_ERR_EOVERFLOW);
+    }
+
   /* Without this kludge some example certs can't be parsed */
   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
     ti->length = 0;




-- System Information:
Debian Release: 10.13
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libksba8 depends on:
ii  libc6          2.28-10+deb10u1
ii  libgpg-error0  1.35-1

libksba8 recommends no packages.

libksba8 suggests no packages.

-- no debconf information

-- 
Thomas Arendsen Hein <thomas at intevation.de>  |  https://intevation.de
Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter

More information about the Pkg-gnutls-maint mailing list