Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Daniel Kahn Gillmor dkg at debian.org
Mon Oct 17 19:48:20 BST 2022 

FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0
(the version in debian stable).

We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for
buster.

The attached debdiffs do that, and should be able to build properly.

I've also uploaded them to the debian/bullseye and debian/buster
branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming
conventions), though i don't know how useful extra git branches are to
Andreas, who has capably maintained libksba for many years -- i don't
see what his preferred workflow is for handling security updates, maybe
it's not in git.

If the security team and Andreas are ok with these updates to bullseye
and buster, i can do the upload into bullseye-security and
buster-security.

1.6.2 should migrate into testing shortly, so i'm not sure that we have
anything else to do there.

   --dkg

On Mon 2022-10-17 14:34:44 +0200, Thomas Arendsen Hein wrote:
> Package: libksba8
> Version: 1.3.5-2
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
>
> Dear Maintainer,
>
> https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
> announces an integer overflow that may be used for remote code
> execution in versions of libksba before 1.6.2, i.e.
> in currently in all Debian versions except for unstable, i.e.
> bookwork, bullseye, buster (LTS)
>
> https://security-tracker.debian.org/tracker/CVE-2022-3515
> still shows "Description RESERVED".
>
> Upstream bug report: https://dev.gnupg.org/T6230
>
> A patch is available from
> https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
>
>
> Patch from git://git.gnupg.org/libksba:
>
> commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
> Author: Werner Koch <wk at gnupg.org>
> Date:   Wed Oct 5 14:19:06 2022 +0200
>
>     Detect a possible overflow directly in the TLV parser.
>     
>     * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
>     used sum.
>     --
>     
>     It is quite common to have checks like
>     
>         if (ti.nhdr + ti.length >= DIM(tmpbuf))
>            return gpg_error (GPG_ERR_TOO_LARGE);
>     
>     This patch detects possible integer overflows immmediately when
>     creating the TI object.
>     
>     Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
>
> diff --git a/src/ber-help.c b/src/ber-help.c
> index 81c31ed..56efb6a 100644
> --- a/src/ber-help.c
> +++ b/src/ber-help.c
> @@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
>        ti->length = len;
>      }
>  
> +  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> +    {
> +      ti->err_string = "header+length would overflow";
> +      return gpg_error (GPG_ERR_EOVERFLOW);
> +    }
> +
>    /* Without this kludge some example certs can't be parsed */
>    if (ti->class == CLASS_UNIVERSAL && !ti->tag)
>      ti->length = 0;
>
>
>
>
> -- System Information:
> Debian Release: 10.13
>   APT prefers oldstable-updates
>   APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
> Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libksba8 depends on:
> ii  libc6          2.28-10+deb10u1
> ii  libgpg-error0  1.35-1
>
> libksba8 recommends no packages.
>
> libksba8 suggests no packages.
>
> -- no debconf information
>
> -- 
> Thomas Arendsen Hein <thomas at intevation.de>  |  https://intevation.de
> Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
> Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
>
> -- 
> Pkg-gnutls-maint mailing list
> Pkg-gnutls-maint at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnutls-maint

-------------- next part --------------
A non-text attachment was scrubbed...
Name: libksba_1.5.0-3_1.5.0-3+deb11u1.debdiff
Type: text/x-diff
Size: 2675 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20221017/0e5b2e75/attachment-0002.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libksba_1.3.5-2_1.3.5-2+deb10u1.debdiff
Type: text/x-diff
Size: 2557 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20221017/0e5b2e75/attachment-0003.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20221017/0e5b2e75/attachment-0001.sig>

More information about the Pkg-gnutls-maint mailing list