Bugzilla – Bug 907074
VUL-0: CVE-2014-9087: Libksba: buffer overflow in ksba_oid_to_str
Last modified: 2015-01-26 11:38:50 UTC
Created attachment 614917 [details] Upstream commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7 http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html Libksba 1.3.2 fixes a buffer overflow in ksba_oid_to_str. > This is a *security fix* release and all users of Libksba should update > to this version. Note that GnuPG 2.x makes use of Libksba and thus all > user of GnuPG 2.x need to install this new version of libksba and at > least restart the dirmngr process. > > Impact of the security bug > ========================== > > By using special crafted S/MIME messages or ECC based OpenPGP data, it > is possible to create a buffer overflow. The bug is not easy to exploit > because there only 80 possible values which can be used to overwrite > memory. However, a denial of service is possible and someone may come > up with other clever attacks. Thus this should be fix. > > Affected versions: All Libksba versions < 1.3.2 > > Background: Yesterday Hanno Böck found an invalid memory access in the > 2.1 branch of GnuPG by conveying a malformed OID as part of an ECC key. > It turned out that this bug has also been in libksba ever since and > affects at least gpgsm and dirmngr. The code to convert an OID to its > string representation has an obvious error of not considering an invalid > encoding for arc-2. A first byte of 0x80 can be used to make a value of > less then 80 and we then subtract 80 from it as required by the OID > encoding rules. Due to the use of an unsigned integer this results in a > pretty long value which won't fit anymore into the allocated buffer. > The actual fix for lib Libksba is commit f715b9e. Upstream commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7
This is an autogenerated message for OBS integration: This bug (907074) was mentioned in https://build.opensuse.org/request/show/263068 Factory / libksba
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2014-12-24. https://swamp.suse.de/webswamp/wf/59815
SLE products are as well affected.
Sorry I won't be able to do maintenance updates on this myself.
yup, but vcizek@suse.com is in CC. he is the maintainer.
(victor commented in private comments which you were not able to read, sorry. unprivatized some comments. our libksba maintainer will do it)
This is an autogenerated message for OBS integration: This bug (907074) was mentioned in https://build.opensuse.org/request/show/264624 13.2+13.1+12.3 / libksba
SUSE-SU-2014:1676-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 907074 CVE References: CVE-2014-9087 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libksba-1.0.4-1.18.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): libksba-1.0.4-1.18.1 SUSE Linux Enterprise Server 11 SP3 (src): libksba-1.0.4-1.18.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libksba-1.0.4-1.18.1
openSUSE-SU-2014:1682-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 907074 CVE References: CVE-2014-9087 Sources used: openSUSE 13.2 (src): libksba-1.3.1-4.1 openSUSE 13.1 (src): libksba-1.3.0-5.4.1 openSUSE 12.3 (src): libksba-1.3.0-3.4.1
SUSE-SU-2015:0030-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 907074 CVE References: CVE-2014-9087 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libksba-1.3.0-9.1 SUSE Linux Enterprise Server 12 (src): libksba-1.3.0-9.1 SUSE Linux Enterprise Desktop 12 (src): libksba-1.3.0-9.1
was released