Bugzilla – Bug 979261
VUL-0: libksba: two OOB read access bugs remote DoS
Last modified: 2017-05-11 01:07:15 UTC
libksba 1.3.4 was released with the following changes: > * Fixed two OOB read access bugs which could be used to force a DoS. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64 > Fix possible read access beyond the buffer. > > * src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check. > * src/cert.c (ksba_cert_get_cert_policies): Check TLV given length > against buffer length. > (ksba_cert_get_ext_key_usages): Ditto. > * src/ocsp.c (parse_asntime_into_isotime): Ditto. > -- > > The returned length of the object from _ksba_ber_parse_tl (ti.length) > was not always checked against the actual buffer length, thus leading > to a read access after the end of the buffer and thus a segv. > > GnuPG-bug-id: 2344 > Reported-by: Pascal Cuoq > Signed-off-by: Werner Koch <wk@gnupg.org> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75 Fix an OOB read access in _ksba_dn_to_str. * src/dn.c (append_utf8_value): Use a straightforward check to fix an off-by-one. -- The old fix for the problem from April 2015 had an off-by-one in the bad encoding handing. Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 GnuPG-bug-id: 2344 Reported-by: Pascal Cuoq Signed-off-by: Werner Koch <wk@gnupg.org> ----- Related? http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=3f74c2cc0068d0b3584627af73c8c42ce720a826 > Fix an undefined return value in ksba_cert_get_digest_algo. > > * src/cert.c (ksba_cert_get_digest_algo): Set ALGO in the error case. > * tests/cert-basic.c (one_file): Take care of printf which does not > handle NULL for %s > -- > > GnuPG-bug-id: 2343 > Reported-by: Pascal Cuoq https://bugs.gnupg.org/gnupg/issue2343 ----- Also in release notes: > * Fixed a crash due to faulty curve OID lookup code. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=9df0ac3a4afa0272dbff08d17e9064f13be95814 > Fix lookup of ECC OIDs by name. > > * src/keyinfo.c (get_ecc_curve_oid): Fix obviously never tested table > lookup. > -- > > This led to a crash see > https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030445.html > > The fix is obvious but I do not have test data for this. "gpgsm --gen-key segfault with ECC key on smartcard"
Note... "Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3" The original fix was flawed...
This is an autogenerated message for OBS integration: This bug (979261) was mentioned in https://build.opensuse.org/request/show/394677 13.2 / libksba
bugbot adjusting priority
CVE-2016-4574 for the dn.c off by one inside the invalid fix
This is an autogenerated message for OBS integration: This bug (979261) was mentioned in https://build.opensuse.org/request/show/394785 13.2 / libksba
This is an autogenerated message for OBS integration: This bug (979261) was mentioned in https://build.opensuse.org/request/show/395170 13.2 / libksba
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-05-31. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62760
openSUSE-SU-2016:1370-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 979261 CVE References: CVE-2016-4574 Sources used: openSUSE 13.2 (src): libksba-1.3.1-12.1
SUSE-SU-2016:1509-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 979261,979906 CVE References: CVE-2016-4574,CVE-2016-4579 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libksba-1.0.4-1.25.1 SUSE Linux Enterprise Server 11-SP4 (src): libksba-1.0.4-1.25.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libksba-1.0.4-1.25.1
SUSE-SU-2016:1510-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 979261,979906 CVE References: CVE-2016-4574,CVE-2016-4579 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libksba-1.3.0-23.1 SUSE Linux Enterprise Software Development Kit 12 (src): libksba-1.3.0-23.1 SUSE Linux Enterprise Server 12-SP1 (src): libksba-1.3.0-23.1 SUSE Linux Enterprise Server 12 (src): libksba-1.3.0-23.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libksba-1.3.0-23.1 SUSE Linux Enterprise Desktop 12 (src): libksba-1.3.0-23.1
openSUSE-SU-2016:1525-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 979261,979906 CVE References: CVE-2016-4574,CVE-2016-4579 Sources used: openSUSE Leap 42.1 (src): libksba-1.3.0-7.1
released