Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 877453 (CVE-2022-3515, CVE-2022-47629)

Summary: <dev-libs/libksba-1.6.3: integer overflow to code execution
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.gnupg.org/pipermail/gnupg-announce/2022q4/000475.html
Whiteboard: A1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 877469, 887327    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 14:25:54 UTC
"A severe bug has been found in [Libksba] , the library used by GnuPG
  for parsing the ASN.1 structures as used by S/MIME.  The bug affects
  all versions of [Libksba] before 1.6.2 and may be used for remote code
  execution.

     *Updating this library is thus important*."

Please stabilize ASAP
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 17:05:09 UTC
See also https://gnupg.org/blog/20221017-pepe-left-the-ksba.html.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-20 15:37:56 UTC
Please cleanup.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 15:49:51 UTC
GLSA request filed
Comment 4 Larry the Git Cow gentoo-dev 2022-10-28 19:53:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=240fb66b583731a7fa4def87440044e1ab698f45

commit 240fb66b583731a7fa4def87440044e1ab698f45
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-28 19:43:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-28 19:49:59 +0000

    dev-libs/libksba: drop 1.6.0-r1, 1.6.1
    
    Bug: https://bugs.gentoo.org/877453
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libksba/Manifest                |  3 --
 dev-libs/libksba/libksba-1.6.0-r1.ebuild | 38 -------------------------
 dev-libs/libksba/libksba-1.6.1.ebuild    | 48 --------------------------------
 3 files changed, 89 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-10-31 01:42:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d91443316234bdb883374b8a0379b08b8aebeb45

commit d91443316234bdb883374b8a0379b08b8aebeb45
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:16:48 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:16 +0000

    [ GLSA 202210-23 ] libksba: Remote Code Execution
    
    Bug: https://bugs.gentoo.org/877453
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-23.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:45 UTC
GLSA released, all done!
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-12-20 08:03:59 UTC
From 1.6.3:
```
+2022-11-23  Werner Koch  <wk@gnupg.org>
+
+       Fix an integer overflow in the CRL signature parser.
+       + commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070
+       * src/crl.c (parse_signature): N+N2 now checked for overflow.
+
+       * src/ocsp.c (parse_response_extensions): Do not accept too large
+       values.
+       (parse_single_extensions): Ditto.
```

and https://gnupg.org/blog/20221017-pepe-left-the-ksba.html has been updated accordingly.
Comment 8 Larry the Git Cow gentoo-dev 2022-12-20 08:15:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=681d8bfeec74b900bde31f09f3f50c6e4016eb30

commit 681d8bfeec74b900bde31f09f3f50c6e4016eb30
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-20 08:05:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-20 08:14:35 +0000

    dev-libs/libksba: add 1.6.3
    
    Bug: https://bugs.gentoo.org/877453
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libksba/Manifest             |  2 ++
 dev-libs/libksba/libksba-1.6.3.ebuild | 54 +++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-21 01:36:16 UTC
Fortunately, somebody's gotten a CVE.
Comment 10 Larry the Git Cow gentoo-dev 2022-12-21 02:23:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f62f43517acef20ce1bd506aa5d58fcf9b34d939

commit f62f43517acef20ce1bd506aa5d58fcf9b34d939
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-21 02:22:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-21 02:22:51 +0000

    dev-libs/libksba: drop 1.6.2
    
    Bug: https://bugs.gentoo.org/877453
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libksba/Manifest             |  2 --
 dev-libs/libksba/libksba-1.6.2.ebuild | 54 -----------------------------------
 2 files changed, 56 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-21 02:28:18 UTC
GLSA request filed (again)!
Comment 12 Larry the Git Cow gentoo-dev 2022-12-28 18:59:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b95962b57e3a2b7645af0491db5baf8f15b6b69d

commit b95962b57e3a2b7645af0491db5baf8f15b6b69d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-28 18:58:25 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-28 18:59:24 +0000

    [ GLSA 202212-07 ] libksba: Remote Code Execution
    
    Bug: https://bugs.gentoo.org/877453
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-07.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-28 19:12:16 UTC
GLSA released (again), all done!