Re: Re: CVE request: three issues in libksba

[Andreas Stieger <astieger () suse com>]

Hello,

On 04/29/2016 06:13 PM, cve-assign () mitre org wrote:
> > Integer overflow in the DN decoder src/dn.c
> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3
>
> This might be an error in the original
> https://security.gentoo.org/glsa/201604-04 advisory. We did not notice
> any obvious relationship between
> 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 and an integer overflow fix.
> The 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 commit message seems to
> focus on "read access out of bounds." Also, there is no other recent
> commit at
> http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=history;f=src/dn.c
> that refers to an integer overflow. Possibly there was an inapplicable
> copy-and-paste of "Integer overflow in the" from the previous report
> about the BER decoder.
>
> Use CVE-2016-4356 for the 243d12fdec66a4360fbb3e307a046b39b5b4ffc3
> issue that is described as "Fix encoding of invalid utf-8 strings in
> dn.c" and "read access out of bounds."


There is a follow-up fix in libksba 1.3.4 for this issue:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75

> Fix an OOB read access in _ksba_dn_to_str.
>
> * src/dn.c (append_utf8_value): Use a straightforward check to fix an
> off-by-one.
> --
>
> The old fix for the problem from April 2015 had an off-by-one in the
> bad encoding handing.
>
> Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3
> <http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=object;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3>
> GnuPG-bug-id: 2344
> Reported-by: Pascal Cuoq
> Signed-off-by: Werner Koch <wk () gnupg org>

Andreas

-- 
Andreas Stieger <astieger () suse com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Attachment: signature.asc
Description: OpenPGP digital signature