592078 – (CVE-2016-4579) <dev-libs/libksba-1.3.5: Unproportional amount of memory allocated when parsing crafted certificates

Bug 592078 (CVE-2016-4579) - <dev-libs/libksba-1.3.5: Unproportional amount of memory allocated when parsing crafted certificates

Summary: <dev-libs/libksba-1.3.5: Unproportional amount of memory allocated when parsi...

Status:	RESOLVED FIXED

Alias:	CVE-2016-4579

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A3 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-08-25 09:23 UTC by Agostino Sarubbo
Modified:	2017-06-22 17:46 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-08-25 09:23:47 UTC

From ${URL} :

It was found that an unproportionate amount of memory is allocated when parsing crafted certificates in 
libskba, which may lead to DoS. Moreover in libksba 1.3.4, allocated memory is uninitialized and could 
potentially contain sensitive data left in freed memory block.

Public via:

http://seclists.org/oss-sec/2016/q3/343


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-09-13 00:17:02 UTC

@ Arches,

please test and mark stable: =dev-libs/libksba-1.3.5

Targeted stable KEYWORDS: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 2 Agostino Sarubbo gentoo-dev

2016-09-13 11:37:39 UTC

amd64 stable

Comment 3 Tobias Klausmann (RETIRED) gentoo-dev

2016-09-17 09:52:14 UTC

Stable on alpha.

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2016-09-19 13:32:48 UTC

Stable for HPPA PPC64.

Comment 5 Markus Meier gentoo-dev

2016-09-24 19:21:04 UTC

arm stable

Comment 6 Agostino Sarubbo gentoo-dev

2016-09-29 08:43:15 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2016-09-29 09:38:13 UTC

sparc stable

Comment 8 Agostino Sarubbo gentoo-dev

2016-09-29 12:39:00 UTC

ppc stable

Comment 9 Agostino Sarubbo gentoo-dev

2016-09-29 13:31:26 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 10 Yury German Gentoo Infrastructure

2017-04-19 05:50:47 UTC

Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2017-06-22 17:46:12 UTC

This issue was resolved and addressed in
 GLSA 201706-22 at https://security.gentoo.org/glsa/201706-22
by GLSA coordinator Kristian Fiskerstrand (K_F).