"A severe bug has been found in [Libksba] , the library used by GnuPG for parsing the ASN.1 structures as used by S/MIME. The bug affects all versions of [Libksba] before 1.6.2 and may be used for remote code execution. *Updating this library is thus important*." Please stabilize ASAP
See also https://gnupg.org/blog/20221017-pepe-left-the-ksba.html.
Please cleanup.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=240fb66b583731a7fa4def87440044e1ab698f45 commit 240fb66b583731a7fa4def87440044e1ab698f45 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-10-28 19:43:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-28 19:49:59 +0000 dev-libs/libksba: drop 1.6.0-r1, 1.6.1 Bug: https://bugs.gentoo.org/877453 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libksba/Manifest | 3 -- dev-libs/libksba/libksba-1.6.0-r1.ebuild | 38 ------------------------- dev-libs/libksba/libksba-1.6.1.ebuild | 48 -------------------------------- 3 files changed, 89 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d91443316234bdb883374b8a0379b08b8aebeb45 commit d91443316234bdb883374b8a0379b08b8aebeb45 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:16:48 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:16 +0000 [ GLSA 202210-23 ] libksba: Remote Code Execution Bug: https://bugs.gentoo.org/877453 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-23.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!
From 1.6.3: ``` +2022-11-23 Werner Koch <wk@gnupg.org> + + Fix an integer overflow in the CRL signature parser. + + commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 + * src/crl.c (parse_signature): N+N2 now checked for overflow. + + * src/ocsp.c (parse_response_extensions): Do not accept too large + values. + (parse_single_extensions): Ditto. ``` and https://gnupg.org/blog/20221017-pepe-left-the-ksba.html has been updated accordingly.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=681d8bfeec74b900bde31f09f3f50c6e4016eb30 commit 681d8bfeec74b900bde31f09f3f50c6e4016eb30 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-20 08:05:22 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-20 08:14:35 +0000 dev-libs/libksba: add 1.6.3 Bug: https://bugs.gentoo.org/877453 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libksba/Manifest | 2 ++ dev-libs/libksba/libksba-1.6.3.ebuild | 54 +++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+)
Fortunately, somebody's gotten a CVE.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f62f43517acef20ce1bd506aa5d58fcf9b34d939 commit f62f43517acef20ce1bd506aa5d58fcf9b34d939 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-21 02:22:51 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-21 02:22:51 +0000 dev-libs/libksba: drop 1.6.2 Bug: https://bugs.gentoo.org/877453 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libksba/Manifest | 2 -- dev-libs/libksba/libksba-1.6.2.ebuild | 54 ----------------------------------- 2 files changed, 56 deletions(-)
GLSA request filed (again)!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b95962b57e3a2b7645af0491db5baf8f15b6b69d commit b95962b57e3a2b7645af0491db5baf8f15b6b69d Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-12-28 18:58:25 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-28 18:59:24 +0000 [ GLSA 202212-07 ] libksba: Remote Code Execution Bug: https://bugs.gentoo.org/877453 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202212-07.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
GLSA released (again), all done!