Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Mon, 17 Oct 2022 11:51:15 -0700 

FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0
(the version in debian stable).

We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for
buster.

The attached debdiffs do that, and should be able to build properly.

I've also uploaded them to the debian/bullseye and debian/buster
branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming
conventions), though i don't know how useful extra git branches are to
Andreas, who has capably maintained libksba for many years -- i don't
see what his preferred workflow is for handling security updates, maybe
it's not in git.

If the security team and Andreas are ok with these updates to bullseye
and buster, i can do the upload into bullseye-security and
buster-security.

1.6.2 should migrate into testing shortly, so i'm not sure that we have
anything else to do there.

   --dkg

On Mon 2022-10-17 14:34:44 +0200, Thomas Arendsen Hein wrote:
> Package: libksba8
> Version: 1.3.5-2
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
>
> Dear Maintainer,
>
> https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
> announces an integer overflow that may be used for remote code
> execution in versions of libksba before 1.6.2, i.e.
> in currently in all Debian versions except for unstable, i.e.
> bookwork, bullseye, buster (LTS)
>
> https://security-tracker.debian.org/tracker/CVE-2022-3515
> still shows "Description RESERVED".
>
> Upstream bug report: https://dev.gnupg.org/T6230
>
> A patch is available from
> https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
>
>
> Patch from git://git.gnupg.org/libksba:
>
> commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
> Author: Werner Koch <w...@gnupg.org>
> Date:   Wed Oct 5 14:19:06 2022 +0200
>
>     Detect a possible overflow directly in the TLV parser.
>     
>     * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
>     used sum.
>     --
>     
>     It is quite common to have checks like
>     
>         if (ti.nhdr + ti.length >= DIM(tmpbuf))
>            return gpg_error (GPG_ERR_TOO_LARGE);
>     
>     This patch detects possible integer overflows immmediately when
>     creating the TI object.
>     
>     Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
>
> diff --git a/src/ber-help.c b/src/ber-help.c
> index 81c31ed..56efb6a 100644
> --- a/src/ber-help.c
> +++ b/src/ber-help.c
> @@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info 
> *ti)
>        ti->length = len;
>      }
>  
> +  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> +    {
> +      ti->err_string = "header+length would overflow";
> +      return gpg_error (GPG_ERR_EOVERFLOW);
> +    }
> +
>    /* Without this kludge some example certs can't be parsed */
>    if (ti->class == CLASS_UNIVERSAL && !ti->tag)
>      ti->length = 0;
>
>
>
>
> -- System Information:
> Debian Release: 10.13
>   APT prefers oldstable-updates
>   APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
> Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), 
> LANGUAGE=en_US.utf-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libksba8 depends on:
> ii  libc6          2.28-10+deb10u1
> ii  libgpg-error0  1.35-1
>
> libksba8 recommends no packages.
>
> libksba8 suggests no packages.
>
> -- no debconf information
>
> -- 
> Thomas Arendsen Hein <tho...@intevation.de>  |  https://intevation.de
> Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
> Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
>
> -- 
> Pkg-gnutls-maint mailing list
> pkg-gnutls-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnutls-maint


diff -Nru libksba-1.5.0/debian/changelog libksba-1.5.0/debian/changelog
--- libksba-1.5.0/debian/changelog	2020-12-24 02:06:58.000000000 -0500
+++ libksba-1.5.0/debian/changelog	2022-10-17 14:15:08.000000000 -0400
@@ -1,3 +1,10 @@
+libksba (1.5.0-3+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload
+  * fix CVE 2022-3515
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Mon, 17 Oct 2022 14:15:08 -0400
+
 libksba (1.5.0-3) unstable; urgency=medium
 
   * Add 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch from
diff -Nru libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
--- libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	1969-12-31 19:00:00.000000000 -0500
+++ libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	2022-10-17 14:13:49.000000000 -0400
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <w...@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.35.1
+
diff -Nru libksba-1.5.0/debian/patches/series libksba-1.5.0/debian/patches/series
--- libksba-1.5.0/debian/patches/series	2020-12-24 02:06:01.000000000 -0500
+++ libksba-1.5.0/debian/patches/series	2022-10-17 14:10:46.000000000 -0400
@@ -1,2 +1,3 @@
 0001-fix-win32-linker.patch
 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch
+20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch

diff -Nru libksba-1.3.5/debian/changelog libksba-1.3.5/debian/changelog
--- libksba-1.3.5/debian/changelog	2016-09-03 09:22:31.000000000 -0400
+++ libksba-1.3.5/debian/changelog	2022-10-17 14:15:08.000000000 -0400
@@ -1,3 +1,10 @@
+libksba (1.3.5-2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload
+  * fix CVE 2022-3515
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Mon, 17 Oct 2022 14:15:08 -0400
+
 libksba (1.3.5-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
--- libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	1969-12-31 19:00:00.000000000 -0500
+++ libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	2022-10-17 14:15:08.000000000 -0400
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <w...@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -181,6 +181,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.35.1
+
diff -Nru libksba-1.3.5/debian/patches/series libksba-1.3.5/debian/patches/series
--- libksba-1.3.5/debian/patches/series	2016-02-17 13:18:06.000000000 -0500
+++ libksba-1.3.5/debian/patches/series	2022-10-17 14:15:08.000000000 -0400
@@ -1 +1,2 @@
 0001-fix-win32-linker.patch
+20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to