from:"Thomas Arendsen Hein"

Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

2022-10-17 Thread Thomas Arendsen Hein

Package: libksba8
Version: 1.3.5-2
Severity: grave
Tags: security patch upstream
Justification: user security hole

Dear Maintainer,

https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
announces an integer overflow that may be used for remote code
execution in versions of libksba before 1.6.2, i.e.
in currently in all Debian versions except for unstable, i.e.
bookwork, bullseye, buster (LTS)

https://security-tracker.debian.org/tracker/CVE-2022-3515
still shows "Description RESERVED".

Upstream bug report: https://dev.gnupg.org/T6230

A patch is available from
https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b


Patch from git://git.gnupg.org/libksba:

commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
Author: Werner Koch 
Date:   Wed Oct 5 14:19:06 2022 +0200

Detect a possible overflow directly in the TLV parser.

* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
used sum.
--

It is quite common to have checks like

if (ti.nhdr + ti.length >= DIM(tmpbuf))
   return gpg_error (GPG_ERR_TOO_LARGE);

This patch detects possible integer overflows immmediately when
creating the TI object.

Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929

diff --git a/src/ber-help.c b/src/ber-help.c
index 81c31ed..56efb6a 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info 
*ti)
   ti->length = len;
 }
 
+  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+{
+  ti->err_string = "header+length would overflow";
+  return gpg_error (GPG_ERR_EOVERFLOW);
+}
+
   /* Without this kludge some example certs can't be parsed */
   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
 ti->length = 0;




-- System Information:
Debian Release: 10.13
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), 
LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libksba8 depends on:
ii  libc6  2.28-10+deb10u1
ii  libgpg-error0  1.35-1

libksba8 recommends no packages.

libksba8 suggests no packages.

-- no debconf information

-- 
Thomas Arendsen Hein   |  https://intevation.de
Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter

Bug#601700: exception bug occurring with libsqlite3-0 3.7.3-1

2010-10-29 Thread Thomas Arendsen Hein

Package: monotone
Version: 0.48-2
Severity: serious


I noticed this error today, too. I'm not sure if it is caused by the
libsqlite3-0 upgrade (which I did two days ago), because I no longer have
the old package.

Here is the debug log of running test-convert-mtn.t of the Mercurial test
suite:

beginning commit on branch 'com.selenic.test'
Encountered an error while musing upon the following:
database.cc:1495: detected database error, 'E(value)' violated
Encountered an error while musing upon the following:
migrate_schema.cc:105: detected system error, 'E(false)' violated
Encountered an error while musing upon the following:
botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated
Encountered an error while musing upon the following:
botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated
Encountered an error while musing upon the following:
botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated
Encountered an error while musing upon the following:
botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated
Encountered an error while musing upon the following:
botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated
Encountered an error while musing upon the following:
botan_pipe_cache.hh:42: detected internal error, 'I(!pipe)' violated
Current work set: 4 items
- begin 'system_flavour' (in virtual void sanity::initialize(int, char**, 
const char*), at sanity.cc:112)
Linux 2.6.32-5-686 #1 SMP Tue Oct 19 14:40:34 UTC 2010 i686
-   end 'system_flavour' (in virtual void sanity::initialize(int, char**, 
const char*), at sanity.cc:112)
- begin 'cmdline_string' (in virtual void sanity::initialize(int, char**, 
const char*), at sanity.cc:126)
'mtn', 'ci', '-m', 'divergentdirmove2'
-   end 'cmdline_string' (in virtual void sanity::initialize(int, char**, 
const char*), at sanity.cc:126)
- begin 'string(lc_all)' (in virtual void sanity::initialize(int, char**, 
const char*), at sanity.cc:131)
C
-   end 'string(lc_all)' (in virtual void sanity::initialize(int, char**, 
const char*), at sanity.cc:131)
- begin 'full_version_string' (in virtual void mtn_sanity::initialize(int, 
char**, const char*), at mtn-sanity.cc:32)
monotone 0.48 (base revision: 844268c137aaa783aa800a9c16ae61edda80ecea)
Running on  : Linux 2.6.32-5-686 #1 SMP Tue Oct 19 14:40:34 UTC 2010 
i686
C++ compiler: GNU C++ version 4.4.4
C++ standard library: GNU libstdc++ version 20100712
Boost version   : 1_42
SQLite version  : 3.7.3 (compiled against 3.7.0)
Lua version : Lua 5.1
PCRE version: 8.02 2010-03-19 (compiled against 8.2)
Botan version   : 1.8.9 (compiled against 1.8.8)
Changes since base revision:
format_version "1"

new_manifest [86bede3ba4251594f3a0f7e0c31560f9f8ce3744]

old_revision [844268c137aaa783aa800a9c16ae61edda80ecea]

  Generated from data cached in the distribution;
  further changes may have been made.
-   end 'full_version_string' (in virtual void mtn_sanity::initialize(int, 
char**, const char*), at mtn-sanity.cc:32)


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (550, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages monotone depends on:
ii  libbotan-1.8.2 1.8.9-1   multiplatform crypto library
ii  libc6  2.11.2-6+squeeze1 Embedded GNU C Library: Shared lib
ii  libgcc11:4.4.5-4 GCC support library
ii  libidn11   1.15-2GNU Libidn library, implementation
ii  liblua5.1-05.1.4-5   Simple, extensible, embeddable pro
ii  libpcre3   8.02-1.1  Perl 5 Compatible Regular Expressi
ii  libsqlite3-0   3.7.3-1   SQLite 3 shared library
ii  libstdc++6 4.4.5-4   The GNU Standard C++ Library v3
ii  zlib1g 1:1.2.3.4.dfsg-3  compression library - runtime

monotone recommends no packages.

Versions of packages monotone suggests:
pn  monotone-doc   (no description available)
pn  monotone-server(no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#591293: bacula-director-pgsql: db upgrade to lenny-backports fails with ERROR: relation "file_jpfid_idx" already exists

2010-08-21 Thread Thomas Arendsen Hein

* Thomas Arendsen Hein  [20100821 22:00]:
> I'll try the change you have done in 5.0.2-2, i.e. removing the line
> 
> CREATE INDEX file_jpfid_idx on File (JobId, PathId, FilenameId);
> 
> from update_postgresql_tables.

I noticed that this actually was nearly the last thing done during
the upgrade. I just manually executed "ANALYSE;" and I think my
database is in a sane state now. I verified that the changes done in
/usr/share/dbconfig-common/data/bacula-director-pgsql/upgrade/pgsql/5.0.0
are in the database and everything looks ok.

Thanks,
Thomas

-- 
tho...@intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#591293: bacula-director-pgsql: db upgrade to lenny-backports fails with ERROR: relation "file_jpfid_idx" already exists

2010-08-21 Thread Thomas Arendsen Hein

* John Goerzen  [20100820 21:41]:
> On 08/20/2010 01:53 PM, Thomas Arendsen Hein wrote:
>>
>> 2010-08-01 21:58:55 upgrade bacula-director-pgsql 2.4.4-1 5.0.2-1~bpo50+1
>>
>> The history before that was that I used bacula-director-sqlite3
>> 2.2.8-8 in the past and switched to postgresql without
>> importing/converting the old catalog when bacula 2.4.2-3.1 was the
>> current version in lenny/testing. dbconfig-common is still at
>> 1.8.39:
>
> OK, let me restate that and make sure I understand correctly.
>
> 1. You used to use bacula-director-sqlite3 version 2.2.8-8.
>
> 2. At some point you installed bacula-director-pgsql 2.4.2-3.1 instead.
>
> 3. You started with a freshly-installed new catalog when you installed  
> 2.4.2-3.1, and made no effort to migrate the old catalog to it.
>
> 4. You made no changes to the database schema manually at any point.
>
> 5. You upgraded to 2.4.4-1 over time.
>
> 6. Then you had an error when upgrading from 2.4.4 to 5.0.2.
>
> Is that correct?

Yes, correct.

I'll try the change you have done in 5.0.2-2, i.e. removing the line

CREATE INDEX file_jpfid_idx on File (JobId, PathId, FilenameId);

from update_postgresql_tables.

Thanks,
Thomas

-- 
tho...@intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#573408: error while loading sb-grovel makes SBCL uninstallable

2010-04-20 Thread Thomas Arendsen Hein

Package: sbcl
Version: 1:1.0.25.0-1
Severity: normal


Bugs #547682 and #535305 discuss the same thing and provide workarounds.

#535305 is marked as closed in Sep 2009, but the packages did not yet migrate
from sid to squeeze.

sbcl is installable, but according to #535305 asdf is broken.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (550, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sbcl depends on:
ii  common-lisp-controller6.18   Common Lisp source and compiler ma
ii  libc6 2.10.2-6   Embedded GNU C Library: Shared lib

Versions of packages sbcl recommends:
ii  binfmt-support1.2.18 Support for extra binary formats

Versions of packages sbcl suggests:
pn  sbcl-doc   (no description available)
pn  sbcl-source(no description available)
pn  slime  (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-04 Thread Thomas Arendsen Hein

* Thijs Kinkhorst <[EMAIL PROTECTED]> [20080604 14:13]:
> On Wed, June 4, 2008 13:14, Nico Golde wrote:
> > I agree that it is of a low impact but I disagree that this
> > is not a security issue, people are using reportbug in /tmp and I don't see
> > a reason to assume people are not doing that.
> 
> The chance of succesful exploitation still seems very small, and indeed
> even then the problem is limited to just a regular user account. It's good
> that Sandro is fixing the bug directly so I'm not going to argue over bug
> severity, but I'm marking it as no-dsa for stable.

I encountered this bug in the real world: I extracted a tarball
which contained a file named token.py, then I wanted to report a
problem and therefore started reportbug.

This tarball did not contain harmful code, but as I did not verify
it before (because I did not intend to execute parts of it), it
could have been harmful.

And of course there is /tmp as mentioned by Nico Golde.

Regards,
Thomas

-- 
[EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#484311: reportbug adds os.curdir to sys.path

2008-06-03 Thread Thomas Arendsen Hein

Package: reportbug
Version: 3.31
Severity: grave
Tags: security
Justification: user security hole

sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path

To "exploit":

$ echo 'raise "FOO"' > token.py
$ reportbug
Traceback (most recent call last):
  File "/usr/bin/reportbug", line 39, in ?
import optparse, re, os, pwd, time, locale, commands, checkversions
  File "/usr/lib/python2.4/optparse.py", line 73, in ?
from gettext import gettext as _
  File "/usr/lib/python2.4/gettext.py", line 49, in ?
import locale, copy, os, re, struct, sys
  File "/usr/lib/python2.4/copy.py", line 65, in ?
import inspect
  File "/usr/lib/python2.4/inspect.py", line 31, in ?
import sys, os, types, string, re, dis, imp, tokenize, linecache
  File "/usr/lib/python2.4/tokenize.py", line 30, in ?
from token import *
  File "./token.py", line 1, in ?
raise "FOO"
FOO

-- Package-specific info:
** Environment settings:
EDITOR="vim"
EMAIL="Thomas Arendsen Hein <[EMAIL PROTECTED]>"

** /home/thomas/.reportbugrc:
mutt
email "[EMAIL PROTECTED]"
realname "Thomas Arendsen Hein"

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24.3-id1-k8-2
Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages reportbug depends on:
ii  python2.4.4-2An interactive high-level object-o
ii  python-central0.5.12 register and build utility for Pyt

Versions of packages reportbug recommends:
pn  python-cjkcodecs | python-ico  (no description available)

-- no debconf information

-- 
[EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#484305: bicyclerepair: bike.vim imports untrusted python files from cwd

2008-06-03 Thread Thomas Arendsen Hein

Package: bicyclerepair
Version: 0.9-4.1
Severity: critical
Tags: security
Justification: root security hole

# pwd
/tmp/roundup-1.3.3/roundup
# vim /tmp/whatever
Error detected while processing /usr/share/vim/addons/plugin/bike.vim:
line  110:
Traceback (most recent call last):
  File "", line 6, in ?
  File "/usr/lib/python2.4/site-packages/bike/__init__.py", line 10, in ?
from bikefacade import init, NotAPythonModuleOrPackageException, CouldntLoca
teASTNodeFromCoordinatesException, UndoStackEmptyException
  File "/usr/lib/python2.4/site-packages/bike/bikefacade.py", line 3, in ?
import compiler
  File "__init__.py", line 24, in ?

  File "compiler/transformer.py", line 1348, in ?
AttributeError: 'module' object has no attribute 'LESS'
Press ENTER or type command to continue


bicyclerepair contains /usr/share/vim/addons/plugin/bike.vim which is
automatically executed, at least in etch. I don't know about lenny/sid,
see #464817 (bicyclerepair: Conform with Vim addon policy)

It imports (i.e. runs) python code it finds in the current working
directory, in my example from the extracted roundup tarball.

I set Severity to "critical" instead of "grave", because the user who
reported the traceback to me on a multi-user system does not use
bicyclerepair, but just vim. Reportbug forced me to set "root security
hole", because everyone using vim is affected (including root) and
the Justification 5 "unknown / something else" would downgrade the
Severity to "normal". The description for "grave" said, that it only
applies if the security problem affects people actually using the package.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24.3-id1-k8-2
Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages bicyclerepair depends on:
ii  python2.4.4-2An interactive high-level object-o
ii  python-central0.5.12 register and build utility for Pyt

bicyclerepair recommends no packages.

-- no debconf information

-- 
[EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Bug#601700: exception bug occurring with libsqlite3-0 3.7.3-1

Bug#591293: bacula-director-pgsql: db upgrade to lenny-backports fails with ERROR: relation "file_jpfid_idx" already exists

Bug#591293: bacula-director-pgsql: db upgrade to lenny-backports fails with ERROR: relation "file_jpfid_idx" already exists

Bug#573408: error while loading sb-grovel makes SBCL uninstallable

Bug#484311: reportbug adds os.curdir to sys.path

Bug#484311: reportbug adds os.curdir to sys.path

Bug#484305: bicyclerepair: bike.vim imports untrusted python files from cwd

8 matches

Site Navigation

Mail list logo

Footer information