FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0 (the version in debian stable).
We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for buster. The attached debdiffs do that, and should be able to build properly. I've also uploaded them to the debian/bullseye and debian/buster branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming conventions), though i don't know how useful extra git branches are to Andreas, who has capably maintained libksba for many years -- i don't see what his preferred workflow is for handling security updates, maybe it's not in git. If the security team and Andreas are ok with these updates to bullseye and buster, i can do the upload into bullseye-security and buster-security. 1.6.2 should migrate into testing shortly, so i'm not sure that we have anything else to do there. --dkg On Mon 2022-10-17 14:34:44 +0200, Thomas Arendsen Hein wrote: > Package: libksba8 > Version: 1.3.5-2 > Severity: grave > Tags: security patch upstream > Justification: user security hole > > Dear Maintainer, > > https://gnupg.org/blog/20221017-pepe-left-the-ksba.html > announces an integer overflow that may be used for remote code > execution in versions of libksba before 1.6.2, i.e. > in currently in all Debian versions except for unstable, i.e. > bookwork, bullseye, buster (LTS) > > https://security-tracker.debian.org/tracker/CVE-2022-3515 > still shows "Description RESERVED". > > Upstream bug report: https://dev.gnupg.org/T6230 > > A patch is available from > https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b > > > Patch from git://git.gnupg.org/libksba: > > commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b > Author: Werner Koch <w...@gnupg.org> > Date: Wed Oct 5 14:19:06 2022 +0200 > > Detect a possible overflow directly in the TLV parser. > > * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly > used sum. > -- > > It is quite common to have checks like > > if (ti.nhdr + ti.length >= DIM(tmpbuf)) > return gpg_error (GPG_ERR_TOO_LARGE); > > This patch detects possible integer overflows immmediately when > creating the TI object. > > Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 > > diff --git a/src/ber-help.c b/src/ber-help.c > index 81c31ed..56efb6a 100644 > --- a/src/ber-help.c > +++ b/src/ber-help.c > @@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info > *ti) > ti->length = len; > } > > + if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) > + { > + ti->err_string = "header+length would overflow"; > + return gpg_error (GPG_ERR_EOVERFLOW); > + } > + > /* Without this kludge some example certs can't be parsed */ > if (ti->class == CLASS_UNIVERSAL && !ti->tag) > ti->length = 0; > > > > > -- System Information: > Debian Release: 10.13 > APT prefers oldstable-updates > APT policy: (500, 'oldstable-updates'), (500, 'oldstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores) > Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), > LANGUAGE=en_US.utf-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages libksba8 depends on: > ii libc6 2.28-10+deb10u1 > ii libgpg-error0 1.35-1 > > libksba8 recommends no packages. > > libksba8 suggests no packages. > > -- no debconf information > > -- > Thomas Arendsen Hein <tho...@intevation.de> | https://intevation.de > Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998 > Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter > > -- > Pkg-gnutls-maint mailing list > pkg-gnutls-ma...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnutls-maint
diff -Nru libksba-1.5.0/debian/changelog libksba-1.5.0/debian/changelog --- libksba-1.5.0/debian/changelog 2020-12-24 02:06:58.000000000 -0500 +++ libksba-1.5.0/debian/changelog 2022-10-17 14:15:08.000000000 -0400 @@ -1,3 +1,10 @@ +libksba (1.5.0-3+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload + * fix CVE 2022-3515 + + -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Mon, 17 Oct 2022 14:15:08 -0400 + libksba (1.5.0-3) unstable; urgency=medium * Add 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch from diff -Nru libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch --- libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 1969-12-31 19:00:00.000000000 -0500 +++ libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 2022-10-17 14:13:49.000000000 -0400 @@ -0,0 +1,42 @@ +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001 +From: Werner Koch <w...@gnupg.org> +Date: Wed, 5 Oct 2022 14:19:06 +0200 +Subject: [PATCH] Detect a possible overflow directly in the TLV parser. + +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly +used sum. +-- + +It is quite common to have checks like + + if (ti.nhdr + ti.length >= DIM(tmpbuf)) + return gpg_error (GPG_ERR_TOO_LARGE); + +This patch detects possible integer overflows immmediately when +creating the TI object. + +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 +--- + src/ber-help.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/ber-help.c b/src/ber-help.c +index 81c31ed..56efb6a 100644 +--- a/src/ber-help.c ++++ b/src/ber-help.c +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) + ti->length = len; + } + ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) ++ { ++ ti->err_string = "header+length would overflow"; ++ return gpg_error (GPG_ERR_EOVERFLOW); ++ } ++ + /* Without this kludge some example certs can't be parsed */ + if (ti->class == CLASS_UNIVERSAL && !ti->tag) + ti->length = 0; +-- +2.35.1 + diff -Nru libksba-1.5.0/debian/patches/series libksba-1.5.0/debian/patches/series --- libksba-1.5.0/debian/patches/series 2020-12-24 02:06:01.000000000 -0500 +++ libksba-1.5.0/debian/patches/series 2022-10-17 14:10:46.000000000 -0400 @@ -1,2 +1,3 @@ 0001-fix-win32-linker.patch 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch +20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
diff -Nru libksba-1.3.5/debian/changelog libksba-1.3.5/debian/changelog --- libksba-1.3.5/debian/changelog 2016-09-03 09:22:31.000000000 -0400 +++ libksba-1.3.5/debian/changelog 2022-10-17 14:15:08.000000000 -0400 @@ -1,3 +1,10 @@ +libksba (1.3.5-2+deb10u1) buster-security; urgency=high + + * Non-maintainer upload + * fix CVE 2022-3515 + + -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Mon, 17 Oct 2022 14:15:08 -0400 + libksba (1.3.5-2) unstable; urgency=medium * Upload to unstable. diff -Nru libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch --- libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 1969-12-31 19:00:00.000000000 -0500 +++ libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 2022-10-17 14:15:08.000000000 -0400 @@ -0,0 +1,42 @@ +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001 +From: Werner Koch <w...@gnupg.org> +Date: Wed, 5 Oct 2022 14:19:06 +0200 +Subject: [PATCH] Detect a possible overflow directly in the TLV parser. + +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly +used sum. +-- + +It is quite common to have checks like + + if (ti.nhdr + ti.length >= DIM(tmpbuf)) + return gpg_error (GPG_ERR_TOO_LARGE); + +This patch detects possible integer overflows immmediately when +creating the TI object. + +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 +--- + src/ber-help.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/ber-help.c b/src/ber-help.c +index 81c31ed..56efb6a 100644 +--- a/src/ber-help.c ++++ b/src/ber-help.c +@@ -181,6 +181,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) + ti->length = len; + } + ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) ++ { ++ ti->err_string = "header+length would overflow"; ++ return gpg_error (GPG_ERR_EOVERFLOW); ++ } ++ + /* Without this kludge some example certs can't be parsed */ + if (ti->class == CLASS_UNIVERSAL && !ti->tag) + ti->length = 0; +-- +2.35.1 + diff -Nru libksba-1.3.5/debian/patches/series libksba-1.3.5/debian/patches/series --- libksba-1.3.5/debian/patches/series 2016-02-17 13:18:06.000000000 -0500 +++ libksba-1.3.5/debian/patches/series 2022-10-17 14:15:08.000000000 -0400 @@ -1 +1,2 @@ 0001-fix-win32-linker.patch +20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
signature.asc
Description: PGP signature