libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Debian Bug report logs - #1021928
libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Arendsen Hein <thomas@intevation.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Date: Mon, 17 Oct 2022 14:34:44 +0200

Package: libksba8
Version: 1.3.5-2
Severity: grave
Tags: security patch upstream
Justification: user security hole

Dear Maintainer,

https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
announces an integer overflow that may be used for remote code
execution in versions of libksba before 1.6.2, i.e.
in currently in all Debian versions except for unstable, i.e.
bookwork, bullseye, buster (LTS)

https://security-tracker.debian.org/tracker/CVE-2022-3515
still shows "Description RESERVED".

Upstream bug report: https://dev.gnupg.org/T6230

A patch is available from
https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b


Patch from git://git.gnupg.org/libksba:

commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
Author: Werner Koch <wk@gnupg.org>
Date:   Wed Oct 5 14:19:06 2022 +0200

    Detect a possible overflow directly in the TLV parser.
    
    * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
    used sum.
    --
    
    It is quite common to have checks like
    
        if (ti.nhdr + ti.length >= DIM(tmpbuf))
           return gpg_error (GPG_ERR_TOO_LARGE);
    
    This patch detects possible integer overflows immmediately when
    creating the TI object.
    
    Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929

diff --git a/src/ber-help.c b/src/ber-help.c
index 81c31ed..56efb6a 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
       ti->length = len;
     }
 
+  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+    {
+      ti->err_string = "header+length would overflow";
+      return gpg_error (GPG_ERR_EOVERFLOW);
+    }
+
   /* Without this kludge some example certs can't be parsed */
   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
     ti->length = 0;




-- System Information:
Debian Release: 10.13
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libksba8 depends on:
ii  libc6          2.28-10+deb10u1
ii  libgpg-error0  1.35-1

libksba8 recommends no packages.

libksba8 suggests no packages.

-- no debconf information

-- 
Thomas Arendsen Hein <thomas@intevation.de>  |  https://intevation.de
Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter

Message #10 received at 1021928-done@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: 1021928-done@bugs.debian.org

Subject: Re: Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Date: Mon, 17 Oct 2022 20:23:06 +0200

Version: 1.6.2-1

On 2022-10-17 Thomas Arendsen Hein <thomas@intevation.de> wrote:
> Package: libksba8
> Version: 1.3.5-2
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole

> Dear Maintainer,

> https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
> announces an integer overflow that may be used for remote code
> execution in versions of libksba before 1.6.2, i.e.
> in currently in all Debian versions except for unstable, i.e.
> bookwork, bullseye, buster (LTS)
[...]

Marking as fixed in sid ...

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #17 received at 1021928@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@debian.org>

To: Thomas Arendsen Hein <thomas@intevation.de>, 1021928@bugs.debian.org, Andreas Metzler <ametzler@debian.org>, security@debian.org

Subject: Re: Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Date: Mon, 17 Oct 2022 14:48:20 -0400

[Message part 1 (text/plain, inline)]

FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0
(the version in debian stable).

We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for
buster.

The attached debdiffs do that, and should be able to build properly.

I've also uploaded them to the debian/bullseye and debian/buster
branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming
conventions), though i don't know how useful extra git branches are to
Andreas, who has capably maintained libksba for many years -- i don't
see what his preferred workflow is for handling security updates, maybe
it's not in git.

If the security team and Andreas are ok with these updates to bullseye
and buster, i can do the upload into bullseye-security and
buster-security.

1.6.2 should migrate into testing shortly, so i'm not sure that we have
anything else to do there.

   --dkg

On Mon 2022-10-17 14:34:44 +0200, Thomas Arendsen Hein wrote:
> Package: libksba8
> Version: 1.3.5-2
> Severity: grave
> Tags: security patch upstream
> Justification: user security hole
>
> Dear Maintainer,
>
> https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
> announces an integer overflow that may be used for remote code
> execution in versions of libksba before 1.6.2, i.e.
> in currently in all Debian versions except for unstable, i.e.
> bookwork, bullseye, buster (LTS)
>
> https://security-tracker.debian.org/tracker/CVE-2022-3515
> still shows "Description RESERVED".
>
> Upstream bug report: https://dev.gnupg.org/T6230
>
> A patch is available from
> https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
>
>
> Patch from git://git.gnupg.org/libksba:
>
> commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
> Author: Werner Koch <wk@gnupg.org>
> Date:   Wed Oct 5 14:19:06 2022 +0200
>
>     Detect a possible overflow directly in the TLV parser.
>     
>     * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
>     used sum.
>     --
>     
>     It is quite common to have checks like
>     
>         if (ti.nhdr + ti.length >= DIM(tmpbuf))
>            return gpg_error (GPG_ERR_TOO_LARGE);
>     
>     This patch detects possible integer overflows immmediately when
>     creating the TI object.
>     
>     Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
>
> diff --git a/src/ber-help.c b/src/ber-help.c
> index 81c31ed..56efb6a 100644
> --- a/src/ber-help.c
> +++ b/src/ber-help.c
> @@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
>        ti->length = len;
>      }
>  
> +  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> +    {
> +      ti->err_string = "header+length would overflow";
> +      return gpg_error (GPG_ERR_EOVERFLOW);
> +    }
> +
>    /* Without this kludge some example certs can't be parsed */
>    if (ti->class == CLASS_UNIVERSAL && !ti->tag)
>      ti->length = 0;
>
>
>
>
> -- System Information:
> Debian Release: 10.13
>   APT prefers oldstable-updates
>   APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.19.0-21-amd64 (SMP w/32 CPU cores)
> Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8), LANGUAGE=en_US.utf-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages libksba8 depends on:
> ii  libc6          2.28-10+deb10u1
> ii  libgpg-error0  1.35-1
>
> libksba8 recommends no packages.
>
> libksba8 suggests no packages.
>
> -- no debconf information
>
> -- 
> Thomas Arendsen Hein <thomas@intevation.de>  |  https://intevation.de
> Intevation GmbH, Osnabrueck, DE; Amtsgericht Osnabrueck, HRB 18998
> Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter
>
> -- 
> Pkg-gnutls-maint mailing list
> Pkg-gnutls-maint@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-gnutls-maint

[libksba_1.5.0-3_1.5.0-3+deb11u1.debdiff (text/x-diff, inline)]

diff -Nru libksba-1.5.0/debian/changelog libksba-1.5.0/debian/changelog
--- libksba-1.5.0/debian/changelog	2020-12-24 02:06:58.000000000 -0500
+++ libksba-1.5.0/debian/changelog	2022-10-17 14:15:08.000000000 -0400
@@ -1,3 +1,10 @@
+libksba (1.5.0-3+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload
+  * fix CVE 2022-3515
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 17 Oct 2022 14:15:08 -0400
+
 libksba (1.5.0-3) unstable; urgency=medium
 
   * Add 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch from
diff -Nru libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
--- libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	1969-12-31 19:00:00.000000000 -0500
+++ libksba-1.5.0/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	2022-10-17 14:13:49.000000000 -0400
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.35.1
+
diff -Nru libksba-1.5.0/debian/patches/series libksba-1.5.0/debian/patches/series
--- libksba-1.5.0/debian/patches/series	2020-12-24 02:06:01.000000000 -0500
+++ libksba-1.5.0/debian/patches/series	2022-10-17 14:10:46.000000000 -0400
@@ -1,2 +1,3 @@
 0001-fix-win32-linker.patch
 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch
+20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch

[libksba_1.3.5-2_1.3.5-2+deb10u1.debdiff (text/x-diff, inline)]

diff -Nru libksba-1.3.5/debian/changelog libksba-1.3.5/debian/changelog
--- libksba-1.3.5/debian/changelog	2016-09-03 09:22:31.000000000 -0400
+++ libksba-1.3.5/debian/changelog	2022-10-17 14:15:08.000000000 -0400
@@ -1,3 +1,10 @@
+libksba (1.3.5-2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload
+  * fix CVE 2022-3515
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Mon, 17 Oct 2022 14:15:08 -0400
+
 libksba (1.3.5-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
--- libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	1969-12-31 19:00:00.000000000 -0500
+++ libksba-1.3.5/debian/patches/20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch	2022-10-17 14:15:08.000000000 -0400
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -181,6 +181,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.35.1
+
diff -Nru libksba-1.3.5/debian/patches/series libksba-1.3.5/debian/patches/series
--- libksba-1.3.5/debian/patches/series	2016-02-17 13:18:06.000000000 -0500
+++ libksba-1.3.5/debian/patches/series	2022-10-17 14:15:08.000000000 -0400
@@ -1 +1,2 @@
 0001-fix-win32-linker.patch
+20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 1021928@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Daniel Kahn Gillmor <dkg@debian.org>

Cc: Thomas Arendsen Hein <thomas@intevation.de>, 1021928@bugs.debian.org, Andreas Metzler <ametzler@debian.org>, security@debian.org

Subject: Re: Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Date: Mon, 17 Oct 2022 22:16:15 +0200

Hi Daniel,

On Mon, Oct 17, 2022 at 02:48:20PM -0400, Daniel Kahn Gillmor wrote:
> FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0
> (the version in debian stable).
> 
> We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for
> buster.
> 
> The attached debdiffs do that, and should be able to build properly.
> 
> I've also uploaded them to the debian/bullseye and debian/buster
> branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming
> conventions), though i don't know how useful extra git branches are to
> Andreas, who has capably maintained libksba for many years -- i don't
> see what his preferred workflow is for handling security updates, maybe
> it's not in git.
> 
> If the security team and Andreas are ok with these updates to bullseye
> and buster, i can do the upload into bullseye-security and
> buster-security.

Thanks for the offer. Andreas did already handle the bullseye-security
update (DSA was just released) and Markus will handle the LTS upload.

Regards,
Salvatore

Message #29 received at 1021928@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Thomas Arendsen Hein <thomas@intevation.de>, 1021928@bugs.debian.org, Andreas Metzler <ametzler@debian.org>, security@debian.org

Subject: Re: Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2

Date: Tue, 18 Oct 2022 04:04:39 -0400

[Message part 1 (text/plain, inline)]

On Mon 2022-10-17 22:16:15 +0200, Salvatore Bonaccorso wrote:
> Thanks for the offer. Andreas did already handle the bullseye-security
> update (DSA was just released) and Markus will handle the LTS upload.

great, many thanks to Andreas and Markus for taking care of this, and to
you Salvatore for coordinating and communicating about it!

       --dkg

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.