Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582720 (CVE-2016-4574)

Summary: <dev-libs/libksba-1.3.4 : Incomplete fix for CVE-2016-4356
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1334831
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 590656    

Description Agostino Sarubbo gentoo-dev 2016-05-11 07:16:28 UTC 
From ${URL} :

An incomplete fix for CVE-2016-4356 was reported in libksba. The old fix for the problem from April 
2015 had an off-by-one in the bad encoding handing.

Upstream fix:

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75

CVE assignment:

http://seclists.org/oss-sec/2016/q2/300


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2016-05-11 09:32:35 UTC 
Version bump to 1.3.4.
Changes are trivial, can we wait few days to see if there are issues?
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2016-06-04 19:39:26 UTC 
Hi,
Please stabilize.
Thanks!
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-06 07:48:54 UTC 
Stable on alpha.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-07 06:33:16 UTC 
Stable for PPC64.
Comment 5 Markus Meier gentoo-dev 2016-06-08 19:40:21 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-06-10 13:02:20 UTC 
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-21 11:37:55 UTC 
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2016-06-27 08:50:25 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 07:57:49 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 10:06:21 UTC 
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 12:05:42 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-11-11 12:23:10 UTC 
CVE-2016-4574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4574):
  Off-by-one error in the append_utf8_value function in the DN decoder (dn.c)
  in Libksba before 1.3.4 allows remote attackers to cause a denial of service
  (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2016-4356.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-11-11 12:24:32 UTC 
Re-designating again.  This is a potential DoS.

@maintainer(s), please clean the vulnerable version so we can close this.
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2016-11-11 16:04:03 UTC 
(In reply to Aaron Bauman from comment #13)
> Re-designating again.  This is a potential DoS.
> 
> @maintainer(s), please clean the vulnerable version so we can close this.

Done, thanks!
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-11-12 00:42:29 UTC 
(In reply to Alon Bar-Lev from comment #14)
> (In reply to Aaron Bauman from comment #13)
> > Re-designating again.  This is a potential DoS.
> > 
> > @maintainer(s), please clean the vulnerable version so we can close this.
> 
> Done, thanks!

Thanks!