Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530634 (CVE-2014-9087) - <dev-libs/libksba-1.3.2: Buffer overflow (CVE-2014-9087)
Summary: <dev-libs/libksba-1.3.2: Buffer overflow (CVE-2014-9087)
Status: RESOLVED FIXED
Alias: CVE-2014-9087
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.gnupg.org/pipermail/gnup...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-25 13:34 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-12-07 19:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-25 13:34:04 UTC
From ${URL}: 

Impact of the security bug
==========================

By using special crafted S/MIME messages or ECC based OpenPGP data, it
is possible to create a buffer overflow.  The bug is not easy to exploit
because there only 80 possible values which can be used to overwrite
memory.  However, a denial of service is possible and someone may come
up with other clever attacks.  Thus this should be fix.

Affected versions: All Libksba versions < 1.3.2

Background: Yesterday Hanno Böck found an invalid memory access in the
2.1 branch of GnuPG by conveying a malformed OID as part of an ECC key.
It turned out that this bug has also been in libksba ever since and
affects at least gpgsm and dirmngr.  The code to convert an OID to its
string representation has an obvious error of not considering an invalid
encoding for arc-2.  A first byte of 0x80 can be used to make a value of
less then 80 and we then subtract 80 from it as required by the OID
encoding rules.  Due to the use of an unsigned integer this results in a
pretty long value which won't fit anymore into the allocated buffer.
The actual fix for lib Libksba is commit f715b9e.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-25 13:46:56 UTC
+*libksba-1.3.2 (25 Nov 2014)
+
+  25 Nov 2014; Kristian Fiskerstrand <k_f@gentoo.org> +libksba-1.3.2.ebuild,
+  -libksba-1.3.1.ebuild:
+  Version bump. Security bug #530634. Cleanup old non-stable.

new version uploaded and the changes are trivial enough that upgrading should be trivial, but will wait a little bit before calling for stabilization. 

Marking B3 due to the specific nature of the attack despite this package being pulled in by default version of GnuPG.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-25 13:51:46 UTC
CVE Request: http://seclists.org/oss-sec/2014/q4/788
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-11-25 18:57:20 UTC
Arches, please stabilize

=dev-libs/libksba-1.3.2
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-26 16:56:45 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-11-28 13:51:45 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-11-28 13:52:14 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-11-29 13:30:12 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-01 09:18:45 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-12-02 11:58:31 UTC
alpha stable
Comment 10 Markus Meier gentoo-dev 2014-12-02 20:43:22 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-03 09:59:18 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-06 16:50:01 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-06 17:12:30 UTC
Arches, thank you for your work. 

GLSA Vote: No
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-06 17:14:58 UTC
06 Dec 2014; Kristian Fiskerstrand <k_f@gentoo.org> -libksba-1.3.0.ebuild:
Cleanup old for security bug #530634
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-12-07 19:43:43 UTC
CVE-2014-9087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9087):
  Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2,
  as used in GnuPG, allows remote attackers to cause a denial of service
  (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP
  data, which triggers a buffer overflow.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-12-07 19:50:10 UTC
GLSA Vote: No

No GLSA - Closing Bug as Resolved