Your message dated Mon, 17 Oct 2022 20:23:06 +0200
with message-id <[email protected]>
and subject line Re: Bug#1021928: libksba8: CVE-2022-3515 - remote code
execution in libksba before 1.6.2
has caused the Debian Bug report #1021928,
regarding libksba8: CVE-2022-3515 - remote code execution in libksba before
1.6.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1021928: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021928
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libksba8
Version: 1.3.5-2
Severity: grave
Tags: security patch upstream
Justification: user security hole
Dear Maintainer,
https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
announces an integer overflow that may be used for remote code
execution in versions of libksba before 1.6.2, i.e.
in currently in all Debian versions except for unstable, i.e.
bookwork, bullseye, buster (LTS)
https://security-tracker.debian.org/tracker/CVE-2022-3515
still shows "Description RESERVED".
Upstream bug report: https://dev.gnupg.org/T6230
A patch is available from
https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
Patch from git://git.gnupg.org/libksba:
commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
Author: Werner Koch <[email protected]>
Date: Wed Oct 5 14:19:06 2022 +0200
Detect a possible overflow directly in the TLV parser.
* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
used sum.
--
It is quite common to have checks like
if (ti.nhdr + ti.length >= DIM(tmpbuf))
return gpg_error (GPG_ERR_TOO_LARGE);
This patch detects possible integer overflows immmediately when
creating the TI object.
Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
diff --git a/src/ber-help.c b/src/ber-help.c
index 81c31ed..56efb6a 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info
*ti)
ti->length = len;
}
+ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+ {
+ ti->err_string = "header+length would overflow";
+ return gpg_error (GPG_ERR_EOVERFLOW);
+ }
+
/* Without this kludge some example certs can't be parsed */
if (ti->class == CLASS_UNIVERSAL && !ti->tag)
ti->length = 0;
-- System Information:
Debian Release: 10.13
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8),
LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libksba8 depends on:
ii libc6 2.28-10+deb10u1
ii libgpg-error0 1.35-1
libksba8 recommends no packages.
libksba8 suggests no packages.
-- no debconf information
--
Thomas Arendsen Hein <[email protected]> | https://intevation.de
Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
--- End Message ---
--- Begin Message ---
Version: 1.6.2-1
On 2022-10-17 Thomas Arendsen Hein <[email protected]> wrote:
> Package: libksba8
> Version: 1.3.5-2
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
> Dear Maintainer,
> https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
> announces an integer overflow that may be used for remote code
> execution in versions of libksba before 1.6.2, i.e.
> in currently in all Debian versions except for unstable, i.e.
> bookwork, bullseye, buster (LTS)
[...]
Marking as fixed in sid ...
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--- End Message ---
