Debian Bug report logs -
#1021928
libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
:
Bug#1021928
; Package libksba8
.
(Mon, 17 Oct 2022 12:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Arendsen Hein <thomas@intevation.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
.
(Mon, 17 Oct 2022 12:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libksba8
Version: 1.3.5-2
Severity: grave
Tags: security patch upstream
Justification: user security hole
Dear Maintainer,
https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
announces an integer overflow that may be used for remote code
execution in versions of libksba before 1.6.2, i.e.
in currently in all Debian versions except for unstable, i.e.
bookwork, bullseye, buster (LTS)
https://security-tracker.debian.org/tracker/CVE-2022-3515
still shows "Description RESERVED".
Upstream bug report: https://dev.gnupg.org/T6230
A patch is available from
https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
Patch from git://git.gnupg.org/libksba:
commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
Author: Werner Koch <wk@gnupg.org>
Date: Wed Oct 5 14:19:06 2022 +0200
Detect a possible overflow directly in the TLV parser.
* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
used sum.
--
It is quite common to have checks like
if (ti.nhdr + ti.length >= DIM(tmpbuf))
return gpg_error (GPG_ERR_TOO_LARGE);
This patch detects possible integer overflows immmediately when
creating the TI object.
Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
diff --git a/src/ber-help.c b/src/ber-help.c
index 81c31ed..56efb6a 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
ti->length = len;
}
+ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+ {
+ ti->err_string = "header+length would overflow";
+ return gpg_error (GPG_ERR_EOVERFLOW);
+ }
+
/* Without this kludge some example certs can't be parsed */
if (ti->class == CLASS_UNIVERSAL && !ti->tag)
ti->length = 0;
-- System Information:
Debian Release: 10.13
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libksba8 depends on:
ii libc6 2.28-10+deb10u1
ii libgpg-error0 1.35-1
libksba8 recommends no packages.
libksba8 suggests no packages.
-- no debconf information
--
Thomas Arendsen Hein <thomas@intevation.de> | https://intevation.de
Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
Reply sent
to Andreas Metzler <ametzler@bebt.de>
:
You have taken responsibility.
(Mon, 17 Oct 2022 18:27:07 GMT) (full text, mbox, link).
Notification sent
to Thomas Arendsen Hein <thomas@intevation.de>
:
Bug acknowledged by developer.
(Mon, 17 Oct 2022 18:27:07 GMT) (full text, mbox, link).
Message #10 received at 1021928-done@bugs.debian.org (full text, mbox, reply):
Version: 1.6.2-1
On 2022-10-17 Thomas Arendsen Hein <thomas@intevation.de> wrote:
> Package: libksba8
> Version: 1.3.5-2
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
> Dear Maintainer,
> https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
> announces an integer overflow that may be used for remote code
> execution in versions of libksba before 1.6.2, i.e.
> in currently in all Debian versions except for unstable, i.e.
> bookwork, bullseye, buster (LTS)
[...]
Marking as fixed in sid ...
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
:
Bug#1021928
; Package libksba8
.
(Mon, 17 Oct 2022 18:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
.
(Mon, 17 Oct 2022 18:51:03 GMT) (full text, mbox, link).
Message #17 received at 1021928@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0
(the version in debian stable).
We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for
buster.
The attached debdiffs do that, and should be able to build properly.
I've also uploaded them to the debian/bullseye and debian/buster
branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming
conventions), though i don't know how useful extra git branches are to
Andreas, who has capably maintained libksba for many years -- i don't
see what his preferred workflow is for handling security updates, maybe
it's not in git.
If the security team and Andreas are ok with these updates to bullseye
and buster, i can do the upload into bullseye-security and
buster-security.
1.6.2 should migrate into testing shortly, so i'm not sure that we have
anything else to do there.
--dkg
On Mon 2022-10-17 14:34:44 +0200, Thomas Arendsen Hein wrote:
> Package: libksba8
> Version: 1.3.5-2
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
>
> Dear Maintainer,
>
> https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
> announces an integer overflow that may be used for remote code
> execution in versions of libksba before 1.6.2, i.e.
> in currently in all Debian versions except for unstable, i.e.
> bookwork, bullseye, buster (LTS)
>
> https://security-tracker.debian.org/tracker/CVE-2022-3515
> still shows "Description RESERVED".
>
> Upstream bug report: https://dev.gnupg.org/T6230
>
> A patch is available from
> https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
>
>
> Patch from git://git.gnupg.org/libksba:
>
> commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
> Author: Werner Koch <wk@gnupg.org>
> Date: Wed Oct 5 14:19:06 2022 +0200
>
> Detect a possible overflow directly in the TLV parser.
>
> * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
> used sum.
> --
>
> It is quite common to have checks like
>
> if (ti.nhdr + ti.length >= DIM(tmpbuf))
> return gpg_error (GPG_ERR_TOO_LARGE);
>
> This patch detects possible integer overflows immmediately when
> creating the TI object.
>
> Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
>
> diff --git a/src/ber-help.c b/src/ber-help.c
> index 81c31ed..56efb6a 100644
> --- a/src/ber-help.c
> +++ b/src/ber-help.c
> @@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
> ti->length = len;
> }
>
> + if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> + {
> + ti->err_string = "header+length would overflow";
> + return gpg_error (GPG_ERR_EOVERFLOW);
> + }
> +
> /* Without this kludge some example certs can't be parsed */
> if (ti->class == CLASS_UNIVERSAL && !ti->tag)
> ti->length = 0;
>
>
>
>
> -- System Information:
> Debian Release: 10.13
> APT prefers oldstable-updates
> APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
> Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libksba8 depends on:
> ii libc6 2.28-10+deb10u1
> ii libgpg-error0 1.35-1
>
> libksba8 recommends no packages.
>
> libksba8 suggests no packages.
>
> -- no debconf information
>
> --
> Thomas Arendsen Hein <thomas@intevation.de> | https://intevation.de
> Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
> Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
>
> --
> Pkg-gnutls-maint mailing list
> Pkg-gnutls-maint@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnutls-maint
[libksba_1.5.0-3_1.5.0-3+deb11u1.debdiff (text/x-diff, inline)]
diff -Nru libksba-1.5.0/debian/changelog libksba-1.5.0/debian/changelog
--- libksba-1.5.0/debian/changelog 2020-12-24 02:06:58.000000000 -0500
+++ libksba-1.5.0/debian/changelog 2022-10-17 14:15:08.000000000 -0400
@@ -1,3 +1,10 @@
+libksba (1.5.0-3+deb11u1) bullseye-security; urgency=high
+
+ * Non-maintainer upload
+ * fix CVE 2022-3515
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 17 Oct 2022 14:15:08 -0400
+
libksba (1.5.0-3) unstable; urgency=medium
* Add 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch from
diff -Nru libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
--- libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 1969-12-31 19:00:00.000000000 -0500
+++ libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 2022-10-17 14:13:49.000000000 -0400
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+ if (ti.nhdr + ti.length >= DIM(tmpbuf))
+ return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+ ti->length = len;
+ }
+
++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++ {
++ ti->err_string = "header+length would overflow";
++ return gpg_error (GPG_ERR_EOVERFLOW);
++ }
++
+ /* Without this kludge some example certs can't be parsed */
+ if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+ ti->length = 0;
+--
+2.35.1
+
diff -Nru libksba-1.5.0/debian/patches/series libksba-1.5.0/debian/patches/series
--- libksba-1.5.0/debian/patches/series 2020-12-24 02:06:01.000000000 -0500
+++ libksba-1.5.0/debian/patches/series 2022-10-17 14:10:46.000000000 -0400
@@ -1,2 +1,3 @@
0001-fix-win32-linker.patch
10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch
+20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
[libksba_1.3.5-2_1.3.5-2+deb10u1.debdiff (text/x-diff, inline)]
diff -Nru libksba-1.3.5/debian/changelog libksba-1.3.5/debian/changelog
--- libksba-1.3.5/debian/changelog 2016-09-03 09:22:31.000000000 -0400
+++ libksba-1.3.5/debian/changelog 2022-10-17 14:15:08.000000000 -0400
@@ -1,3 +1,10 @@
+libksba (1.3.5-2+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload
+ * fix CVE 2022-3515
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 17 Oct 2022 14:15:08 -0400
+
libksba (1.3.5-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
--- libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 1969-12-31 19:00:00.000000000 -0500
+++ libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch 2022-10-17 14:15:08.000000000 -0400
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+ if (ti.nhdr + ti.length >= DIM(tmpbuf))
+ return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -181,6 +181,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+ ti->length = len;
+ }
+
++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++ {
++ ti->err_string = "header+length would overflow";
++ return gpg_error (GPG_ERR_EOVERFLOW);
++ }
++
+ /* Without this kludge some example certs can't be parsed */
+ if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+ ti->length = 0;
+--
+2.35.1
+
diff -Nru libksba-1.3.5/debian/patches/series libksba-1.3.5/debian/patches/series
--- libksba-1.3.5/debian/patches/series 2016-02-17 13:18:06.000000000 -0500
+++ libksba-1.3.5/debian/patches/series 2022-10-17 14:15:08.000000000 -0400
@@ -1 +1,2 @@
0001-fix-win32-linker.patch
+20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions libksba/1.5.0-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 17 Oct 2022 19:54:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
:
Bug#1021928
; Package libksba8
.
(Mon, 17 Oct 2022 20:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
.
(Mon, 17 Oct 2022 20:18:05 GMT) (full text, mbox, link).
Message #24 received at 1021928@bugs.debian.org (full text, mbox, reply):
Hi Daniel,
On Mon, Oct 17, 2022 at 02:48:20PM -0400, Daniel Kahn Gillmor wrote:
> FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0
> (the version in debian stable).
>
> We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for
> buster.
>
> The attached debdiffs do that, and should be able to build properly.
>
> I've also uploaded them to the debian/bullseye and debian/buster
> branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming
> conventions), though i don't know how useful extra git branches are to
> Andreas, who has capably maintained libksba for many years -- i don't
> see what his preferred workflow is for handling security updates, maybe
> it's not in git.
>
> If the security team and Andreas are ok with these updates to bullseye
> and buster, i can do the upload into bullseye-security and
> buster-security.
Thanks for the offer. Andreas did already handle the bullseye-security
update (DSA was just released) and Markus will handle the LTS upload.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
:
Bug#1021928
; Package libksba8
.
(Tue, 18 Oct 2022 08:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
.
(Tue, 18 Oct 2022 08:09:09 GMT) (full text, mbox, link).
Message #29 received at 1021928@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon 2022-10-17 22:16:15 +0200, Salvatore Bonaccorso wrote:
> Thanks for the offer. Andreas did already handle the bullseye-security
> update (DSA was just released) and Markus will handle the LTS upload.
great, many thanks to Andreas and Markus for taking care of this, and to
you Salvatore for coordinating and communicating about it!
--dkg
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Oct 18 13:23:09 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.