Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2
Package: libksba8 Version: 1.3.5-2 Severity: grave Tags: security patch upstream Justification: user security hole Dear Maintainer, https://gnupg.org/blog/20221017-pepe-left-the-ksba.html announces an integer overflow that may be used for remote code execution in versions of libksba before 1.6.2, i.e. in currently in all Debian versions except for unstable, i.e. bookwork, bullseye, buster (LTS) https://security-tracker.debian.org/tracker/CVE-2022-3515 still shows "Description RESERVED". Upstream bug report: https://dev.gnupg.org/T6230 A patch is available from https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b Patch from git://git.gnupg.org/libksba: commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b Author: Werner Koch Date: Wed Oct 5 14:19:06 2022 +0200 Detect a possible overflow directly in the TLV parser. * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly used sum. -- It is quite common to have checks like if (ti.nhdr + ti.length >= DIM(tmpbuf)) return gpg_error (GPG_ERR_TOO_LARGE); This patch detects possible integer overflows immmediately when creating the TI object. Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 diff --git a/src/ber-help.c b/src/ber-help.c index 81c31ed..56efb6a 100644 --- a/src/ber-help.c +++ b/src/ber-help.c @@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) ti->length = len; } + if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) +{ + ti->err_string = "header+length would overflow"; + return gpg_error (GPG_ERR_EOVERFLOW); +} + /* Without this kludge some example certs can't be parsed */ if (ti->class == CLASS_UNIVERSAL && !ti->tag) ti->length = 0; -- System Information: Debian Release: 10.13 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores) Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libksba8 depends on: ii libc6 2.28-10+deb10u1 ii libgpg-error0 1.35-1 libksba8 recommends no packages. libksba8 suggests no packages. -- no debconf information -- Thomas Arendsen Hein | https://intevation.de Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
Bug#601700: exception bug occurring with libsqlite3-0 3.7.3-1
Package: monotone Version: 0.48-2 Severity: serious I noticed this error today, too. I'm not sure if it is caused by the libsqlite3-0 upgrade (which I did two days ago), because I no longer have the old package. Here is the debug log of running test-convert-mtn.t of the Mercurial test suite: beginning commit on branch 'com.selenic.test' Encountered an error while musing upon the following: database.cc:1495: detected database error, 'E(value)' violated Encountered an error while musing upon the following: migrate_schema.cc:105: detected system error, 'E(false)' violated Encountered an error while musing upon the following: botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated Encountered an error while musing upon the following: botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated Encountered an error while musing upon the following: botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated Encountered an error while musing upon the following: botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated Encountered an error while musing upon the following: botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated Encountered an error while musing upon the following: botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated Current work set: 4 items - begin 'system_flavour' (in virtual void sanity::initialize(int, char**, const char*), at sanity.cc:112) Linux 2.6.32-5-686 #1 SMP Tue Oct 19 14:40:34 UTC 2010 i686 - end 'system_flavour' (in virtual void sanity::initialize(int, char**, const char*), at sanity.cc:112) - begin 'cmdline_string' (in virtual void sanity::initialize(int, char**, const char*), at sanity.cc:126) 'mtn', 'ci', '-m', 'divergentdirmove2' - end 'cmdline_string' (in virtual void sanity::initialize(int, char**, const char*), at sanity.cc:126) - begin 'string(lc_all)' (in virtual void sanity::initialize(int, char**, const char*), at sanity.cc:131) C - end 'string(lc_all)' (in virtual void sanity::initialize(int, char**, const char*), at sanity.cc:131) - begin 'full_version_string' (in virtual void mtn_sanity::initialize(int, char**, const char*), at mtn-sanity.cc:32) monotone 0.48 (base revision: 844268c137aaa783aa800a9c16ae61edda80ecea) Running on : Linux 2.6.32-5-686 #1 SMP Tue Oct 19 14:40:34 UTC 2010 i686 C++ compiler: GNU C++ version 4.4.4 C++ standard library: GNU libstdc++ version 20100712 Boost version : 1_42 SQLite version : 3.7.3 (compiled against 3.7.0) Lua version : Lua 5.1 PCRE version: 8.02 2010-03-19 (compiled against 8.2) Botan version : 1.8.9 (compiled against 1.8.8) Changes since base revision: format_version "1" new_manifest [86bede3ba4251594f3a0f7e0c31560f9f8ce3744] old_revision [844268c137aaa783aa800a9c16ae61edda80ecea] Generated from data cached in the distribution; further changes may have been made. - end 'full_version_string' (in virtual void mtn_sanity::initialize(int, char**, const char*), at mtn-sanity.cc:32) -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (550, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages monotone depends on: ii libbotan-1.8.2 1.8.9-1 multiplatform crypto library ii libc6 2.11.2-6+squeeze1 Embedded GNU C Library: Shared lib ii libgcc11:4.4.5-4 GCC support library ii libidn11 1.15-2GNU Libidn library, implementation ii liblua5.1-05.1.4-5 Simple, extensible, embeddable pro ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi ii libsqlite3-0 3.7.3-1 SQLite 3 shared library ii libstdc++6 4.4.5-4 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime monotone recommends no packages. Versions of packages monotone suggests: pn monotone-doc (no description available) pn monotone-server(no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591293: bacula-director-pgsql: db upgrade to lenny-backports fails with ERROR: relation "file_jpfid_idx" already exists
* Thomas Arendsen Hein [20100821 22:00]: > I'll try the change you have done in 5.0.2-2, i.e. removing the line > > CREATE INDEX file_jpfid_idx on File (JobId, PathId, FilenameId); > > from update_postgresql_tables. I noticed that this actually was nearly the last thing done during the upgrade. I just manually executed "ANALYSE;" and I think my database is in a sane state now. I verified that the changes done in /usr/share/dbconfig-common/data/bacula-director-pgsql/upgrade/pgsql/5.0.0 are in the database and everything looks ok. Thanks, Thomas -- tho...@intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#591293: bacula-director-pgsql: db upgrade to lenny-backports fails with ERROR: relation "file_jpfid_idx" already exists
* John Goerzen [20100820 21:41]: > On 08/20/2010 01:53 PM, Thomas Arendsen Hein wrote: >> >> 2010-08-01 21:58:55 upgrade bacula-director-pgsql 2.4.4-1 5.0.2-1~bpo50+1 >> >> The history before that was that I used bacula-director-sqlite3 >> 2.2.8-8 in the past and switched to postgresql without >> importing/converting the old catalog when bacula 2.4.2-3.1 was the >> current version in lenny/testing. dbconfig-common is still at >> 1.8.39: > > OK, let me restate that and make sure I understand correctly. > > 1. You used to use bacula-director-sqlite3 version 2.2.8-8. > > 2. At some point you installed bacula-director-pgsql 2.4.2-3.1 instead. > > 3. You started with a freshly-installed new catalog when you installed > 2.4.2-3.1, and made no effort to migrate the old catalog to it. > > 4. You made no changes to the database schema manually at any point. > > 5. You upgraded to 2.4.4-1 over time. > > 6. Then you had an error when upgrading from 2.4.4 to 5.0.2. > > Is that correct? Yes, correct. I'll try the change you have done in 5.0.2-2, i.e. removing the line CREATE INDEX file_jpfid_idx on File (JobId, PathId, FilenameId); from update_postgresql_tables. Thanks, Thomas -- tho...@intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#573408: error while loading sb-grovel makes SBCL uninstallable
Package: sbcl Version: 1:1.0.25.0-1 Severity: normal Bugs #547682 and #535305 discuss the same thing and provide workarounds. #535305 is marked as closed in Sep 2009, but the packages did not yet migrate from sid to squeeze. sbcl is installable, but according to #535305 asdf is broken. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (550, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.32-3-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sbcl depends on: ii common-lisp-controller6.18 Common Lisp source and compiler ma ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib Versions of packages sbcl recommends: ii binfmt-support1.2.18 Support for extra binary formats Versions of packages sbcl suggests: pn sbcl-doc (no description available) pn sbcl-source(no description available) pn slime (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#484311: reportbug adds os.curdir to sys.path
* Thijs Kinkhorst <[EMAIL PROTECTED]> [20080604 14:13]: > On Wed, June 4, 2008 13:14, Nico Golde wrote: > > I agree that it is of a low impact but I disagree that this > > is not a security issue, people are using reportbug in /tmp and I don't see > > a reason to assume people are not doing that. > > The chance of succesful exploitation still seems very small, and indeed > even then the problem is limited to just a regular user account. It's good > that Sandro is fixing the bug directly so I'm not going to argue over bug > severity, but I'm marking it as no-dsa for stable. I encountered this bug in the real world: I extracted a tarball which contained a file named token.py, then I wanted to report a problem and therefore started reportbug. This tarball did not contain harmful code, but as I did not verify it before (because I did not intend to execute parts of it), it could have been harmful. And of course there is /tmp as mentioned by Nico Golde. Regards, Thomas -- [EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
Package: reportbug Version: 3.31 Severity: grave Tags: security Justification: user security hole sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path To "exploit": $ echo 'raise "FOO"' > token.py $ reportbug Traceback (most recent call last): File "/usr/bin/reportbug", line 39, in ? import optparse, re, os, pwd, time, locale, commands, checkversions File "/usr/lib/python2.4/optparse.py", line 73, in ? from gettext import gettext as _ File "/usr/lib/python2.4/gettext.py", line 49, in ? import locale, copy, os, re, struct, sys File "/usr/lib/python2.4/copy.py", line 65, in ? import inspect File "/usr/lib/python2.4/inspect.py", line 31, in ? import sys, os, types, string, re, dis, imp, tokenize, linecache File "/usr/lib/python2.4/tokenize.py", line 30, in ? from token import * File "./token.py", line 1, in ? raise "FOO" FOO -- Package-specific info: ** Environment settings: EDITOR="vim" EMAIL="Thomas Arendsen Hein <[EMAIL PROTECTED]>" ** /home/thomas/.reportbugrc: mutt email "[EMAIL PROTECTED]" realname "Thomas Arendsen Hein" -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24.3-id1-k8-2 Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages reportbug depends on: ii python2.4.4-2An interactive high-level object-o ii python-central0.5.12 register and build utility for Pyt Versions of packages reportbug recommends: pn python-cjkcodecs | python-ico (no description available) -- no debconf information -- [EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484305: bicyclerepair: bike.vim imports untrusted python files from cwd
Package: bicyclerepair Version: 0.9-4.1 Severity: critical Tags: security Justification: root security hole # pwd /tmp/roundup-1.3.3/roundup # vim /tmp/whatever Error detected while processing /usr/share/vim/addons/plugin/bike.vim: line 110: Traceback (most recent call last): File "", line 6, in ? File "/usr/lib/python2.4/site-packages/bike/__init__.py", line 10, in ? from bikefacade import init, NotAPythonModuleOrPackageException, CouldntLoca teASTNodeFromCoordinatesException, UndoStackEmptyException File "/usr/lib/python2.4/site-packages/bike/bikefacade.py", line 3, in ? import compiler File "__init__.py", line 24, in ? File "compiler/transformer.py", line 1348, in ? AttributeError: 'module' object has no attribute 'LESS' Press ENTER or type command to continue bicyclerepair contains /usr/share/vim/addons/plugin/bike.vim which is automatically executed, at least in etch. I don't know about lenny/sid, see #464817 (bicyclerepair: Conform with Vim addon policy) It imports (i.e. runs) python code it finds in the current working directory, in my example from the extracted roundup tarball. I set Severity to "critical" instead of "grave", because the user who reported the traceback to me on a multi-user system does not use bicyclerepair, but just vim. Reportbug forced me to set "root security hole", because everyone using vim is affected (including root) and the Justification 5 "unknown / something else" would downgrade the Severity to "normal". The description for "grave" said, that it only applies if the security problem affects people actually using the package. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24.3-id1-k8-2 Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages bicyclerepair depends on: ii python2.4.4-2An interactive high-level object-o ii python-central0.5.12 register and build utility for Pyt bicyclerepair recommends no packages. -- no debconf information -- [EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]