Your message dated Thu, 20 Oct 2022 20:34:21 +0000 with message-id <e1olcfb-004cye...@fasolo.debian.org> and subject line Bug#1021928: fixed in libksba 1.5.0-3+deb11u1 has caused the Debian Bug report #1021928, regarding libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1021928: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021928 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libksba8 Version: 1.3.5-2 Severity: grave Tags: security patch upstream Justification: user security hole Dear Maintainer, https://gnupg.org/blog/20221017-pepe-left-the-ksba.html announces an integer overflow that may be used for remote code execution in versions of libksba before 1.6.2, i.e. in currently in all Debian versions except for unstable, i.e. bookwork, bullseye, buster (LTS) https://security-tracker.debian.org/tracker/CVE-2022-3515 still shows "Description RESERVED". Upstream bug report: https://dev.gnupg.org/T6230 A patch is available from https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b Patch from git://git.gnupg.org/libksba: commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b Author: Werner Koch <w...@gnupg.org> Date: Wed Oct 5 14:19:06 2022 +0200 Detect a possible overflow directly in the TLV parser. * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly used sum. -- It is quite common to have checks like if (ti.nhdr + ti.length >= DIM(tmpbuf)) return gpg_error (GPG_ERR_TOO_LARGE); This patch detects possible integer overflows immmediately when creating the TI object. Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 diff --git a/src/ber-help.c b/src/ber-help.c index 81c31ed..56efb6a 100644 --- a/src/ber-help.c +++ b/src/ber-help.c @@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) ti->length = len; } + if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) + { + ti->err_string = "header+length would overflow"; + return gpg_error (GPG_ERR_EOVERFLOW); + } + /* Without this kludge some example certs can't be parsed */ if (ti->class == CLASS_UNIVERSAL && !ti->tag) ti->length = 0; -- System Information: Debian Release: 10.13 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores) Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libksba8 depends on: ii libc6 2.28-10+deb10u1 ii libgpg-error0 1.35-1 libksba8 recommends no packages. libksba8 suggests no packages. -- no debconf information -- Thomas Arendsen Hein <tho...@intevation.de> | https://intevation.de Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
--- End Message ---
--- Begin Message ---Source: libksba Source-Version: 1.5.0-3+deb11u1 Done: Andreas Metzler <ametz...@debian.org> We believe that the bug you reported is fixed in the latest version of libksba, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1021...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <ametz...@debian.org> (supplier of updated libksba package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 17 Oct 2022 18:36:34 +0200 Source: libksba Architecture: source Version: 1.5.0-3+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-ma...@lists.alioth.debian.org> Changed-By: Andreas Metzler <ametz...@debian.org> Closes: 1021928 Changes: libksba (1.5.0-3+deb11u1) bullseye-security; urgency=high . * 20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch from upstream 1.6.2 release fixing a integer overflow. CVE-2022-3515 Closes: #1021928 Checksums-Sha1: a1d73c9c29ee002a5678221bbae67f422bef7eb1 2502 libksba_1.5.0-3+deb11u1.dsc 866ab0974e9e7851ab13dc257ecb6517ba339c37 656518 libksba_1.5.0.orig.tar.bz2 2f918b41315d35a5eca0ef340fde155f8bfbbbbc 228 libksba_1.5.0.orig.tar.bz2.asc 72a350ffae3e6ebf43dee644a5ff20a891715106 14940 libksba_1.5.0-3+deb11u1.debian.tar.xz Checksums-Sha256: 045b58b87315cbeaab6c82a8cdaf0f53463c1d8369935539cf0615df7bdac877 2502 libksba_1.5.0-3+deb11u1.dsc ae4af129216b2d7fdea0b5bf2a788cd458a79c983bb09a43f4d525cc87aba0ba 656518 libksba_1.5.0.orig.tar.bz2 41a9020381b8201f15b9d7fc2a1abdb90ab2723152d1af0b77a58b12b4884a0f 228 libksba_1.5.0.orig.tar.bz2.asc 8cf8f061a85a496cc4dd4756f38e982e4ae79a41eef331ca0fe1fccb3c8e7a1a 14940 libksba_1.5.0-3+deb11u1.debian.tar.xz Files: 398f4681272b0cf9f751ddfc70a497f0 2502 libs optional libksba_1.5.0-3+deb11u1.dsc a43bc51bd1bf13295623398d0f2d88b4 656518 libs optional libksba_1.5.0.orig.tar.bz2 ca5d3f30089d95548b749ca0dff24078 228 libs optional libksba_1.5.0.orig.tar.bz2.asc d1f633eb2a8064c36ee1759f12bd0f53 14940 libs optional libksba_1.5.0-3+deb11u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAmNNiJYACgkQpU8BhUOC FIRfKBAAlPaV3Tr+tcPhVABOPB343l+k31uS1er9/yIFgdiFCkZPnY/WYDT7y6ZH OlSWy4w+wxruK8UnDJV9Il+2z3QZl0OpNdLyOkmnxiJPUpk+/OKB4AQZTSa8elh5 kJNhP27TOEognda4hftDaycdYsXcCCzpA+oayDIzol4Yk0TROf64xoEdkosHpi/f 2wQPCio/e0adzEDD5Hi6JhgNrlCDlFc9E6oiXg6gSs7z5wF6H73iekJDIXjpKIq+ g8nu8oBSSU6O5IeXz0/uJZZcqaNgtIe9dVg2krnX478lcx2dlar4JDitIpJeIfsv 8tOuvy2FPt5WcXjBNPfcASomdxrHnZmYSV185PyeUx3rvOCUjeXuZaFtkqrgdqmJ l6K8W1KSd9HjjeDRYt1iX/h6NX+EzPwDfSBI3CQWC2mG0/2AySakilBvXk457Psb Y7SwXbA2CxfPPPbnAc0+WsXUk44nGvgUrQ6ct7/wadO+qk7lsOCZSjZ5JYWk1orG XAbJP+Eh3UuHR3WsCu6kd3wpdoFNv98Ogx+aABcHNQzhd+t7UtKqLxc6xj3Z1KJo JtW+fff85/p9UGnt4Gk4v9rOkb6Yuz2lHMq0ugENFEzJYqFpltHAug9fzpNq8Tiq s1aeYpBQ5P9AQnRT7vvL0NXPY5xW7B/jqpFqPmpGeybhNOA3cBs= =RSq3 -----END PGP SIGNATURE-----
--- End Message ---
