Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582720 (CVE-2016-4574) - <dev-libs/libksba-1.3.4 : Incomplete fix for CVE-2016-4356
Summary: <dev-libs/libksba-1.3.4 : Incomplete fix for CVE-2016-4356
Status: RESOLVED FIXED
Alias: CVE-2016-4574
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks: 590656
  Show dependency tree
 
Reported: 2016-05-11 07:16 UTC by Agostino Sarubbo
Modified: 2016-11-12 00:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-11 07:16:28 UTC
From ${URL} :

An incomplete fix for CVE-2016-4356 was reported in libksba. The old fix for the problem from April 
2015 had an off-by-one in the bad encoding handing.

Upstream fix:

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75

CVE assignment:

http://seclists.org/oss-sec/2016/q2/300


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2016-05-11 09:32:35 UTC
Version bump to 1.3.4.
Changes are trivial, can we wait few days to see if there are issues?
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2016-06-04 19:39:26 UTC
Hi,
Please stabilize.
Thanks!
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-06 07:48:54 UTC
Stable on alpha.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-07 06:33:16 UTC
Stable for PPC64.
Comment 5 Markus Meier gentoo-dev 2016-06-08 19:40:21 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-06-10 13:02:20 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-21 11:37:55 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2016-06-27 08:50:25 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 07:57:49 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 10:06:21 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 12:05:42 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-11-11 12:23:10 UTC
CVE-2016-4574 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4574):
  Off-by-one error in the append_utf8_value function in the DN decoder (dn.c)
  in Libksba before 1.3.4 allows remote attackers to cause a denial of service
  (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2016-4356.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-11-11 12:24:32 UTC
Re-designating again.  This is a potential DoS.

@maintainer(s), please clean the vulnerable version so we can close this.
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2016-11-11 16:04:03 UTC
(In reply to Aaron Bauman from comment #13)
> Re-designating again.  This is a potential DoS.
> 
> @maintainer(s), please clean the vulnerable version so we can close this.

Done, thanks!
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-11-12 00:42:29 UTC
(In reply to Alon Bar-Lev from comment #14)
> (In reply to Aaron Bauman from comment #13)
> > Re-designating again.  This is a potential DoS.
> > 
> > @maintainer(s), please clean the vulnerable version so we can close this.
> 
> Done, thanks!

Thanks!