[Secure-testing-team] Bug#770972: libksba: buffer overflow in ksba_oid_to_str
Salvatore Bonaccorso
carnil at debian.org
Tue Nov 25 15:17:34 UTC 2014
Source: libksba
Version: 1.3.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi all,
Today a new upstream release for Libksba was announced, addressing in
particular the following:
> Impact of the security bug
> ==========================
>
> By using special crafted S/MIME messages or ECC based OpenPGP data, it
> is possible to create a buffer overflow. The bug is not easy to exploit
> because there only 80 possible values which can be used to overwrite
> memory. However, a denial of service is possible and someone may come
> up with other clever attacks. Thus this should be fix.
>
> Affected versions: All Libksba versions < 1.3.2
>
> Background: Yesterday Hanno Böck found an invalid memory access in the
> 2.1 branch of GnuPG by conveying a malformed OID as part of an ECC key.
> It turned out that this bug has also been in libksba ever since and
> affects at least gpgsm and dirmngr. The code to convert an OID to its
> string representation has an obvious error of not considering an invalid
> encoding for arc-2. A first byte of 0x80 can be used to make a value of
> less then 80 and we then subtract 80 from it as required by the OID
> encoding rules. Due to the use of an unsigned integer this results in a
> pretty long value which won't fit anymore into the allocated buffer.
> The actual fix for lib Libksba is commit f715b9e.
Announce: http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
Upstream fix: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7
Regards,
Salvatore
More information about the Secure-testing-team
mailing list