Bug 979261 - (CVE-2016-4574) VUL-0: libksba: two OOB read access bugs remote DoS
(CVE-2016-4574)
VUL-0: libksba: two OOB read access bugs remote DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-4356:5.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-10 11:42 UTC by Andreas Stieger
Modified: 2017-05-11 01:07 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-05-10 11:42:12 UTC
libksba 1.3.4 was released with the following changes:

> * Fixed two OOB read access bugs which could be used to force a DoS.

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64

> Fix possible read access beyond the buffer.
> 
> * src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check.
> * src/cert.c (ksba_cert_get_cert_policies): Check TLV given length
> against buffer length.
> (ksba_cert_get_ext_key_usages): Ditto.
> * src/ocsp.c (parse_asntime_into_isotime): Ditto.
> --
> 
> The returned length of the object from _ksba_ber_parse_tl (ti.length)
> was not always checked against the actual buffer length, thus leading
> to a read access after the end of the buffer and thus a segv.
> 
> GnuPG-bug-id: 2344
> Reported-by: Pascal Cuoq
> Signed-off-by: Werner Koch <wk@gnupg.org>

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75

Fix an OOB read access in _ksba_dn_to_str.

* src/dn.c (append_utf8_value): Use a straightforward check to fix an
off-by-one.
--

The old fix for the problem from April 2015 had an off-by-one in the
bad encoding handing.

Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3
GnuPG-bug-id: 2344
Reported-by: Pascal Cuoq
Signed-off-by: Werner Koch <wk@gnupg.org>




-----

Related?

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=3f74c2cc0068d0b3584627af73c8c42ce720a826

> Fix an undefined return value in ksba_cert_get_digest_algo.
> 
> * src/cert.c (ksba_cert_get_digest_algo): Set ALGO in the error case.
> * tests/cert-basic.c (one_file): Take care of printf which does not
> handle NULL for %s
> --
> 
> GnuPG-bug-id: 2343
> Reported-by: Pascal Cuoq

https://bugs.gnupg.org/gnupg/issue2343


-----

Also in release notes:

> * Fixed a crash due to faulty curve OID lookup code.

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=9df0ac3a4afa0272dbff08d17e9064f13be95814

> Fix lookup of ECC OIDs by name.
> 
> * src/keyinfo.c (get_ecc_curve_oid): Fix obviously never tested table
> lookup.
> --
> 
> This led to a crash see
>  https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030445.html
> 
> The fix is obvious but I do not have test data for this.

"gpgsm --gen-key segfault with ECC key on smartcard"
Comment 1 Andreas Stieger 2016-05-10 12:07:04 UTC
Note... "Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3"
The original fix was flawed...
Comment 4 Bernhard Wiedemann 2016-05-10 18:00:12 UTC
This is an autogenerated message for OBS integration:
This bug (979261) was mentioned in
https://build.opensuse.org/request/show/394677 13.2 / libksba
Comment 5 Swamp Workflow Management 2016-05-10 22:00:53 UTC
bugbot adjusting priority
Comment 6 Sebastian Krahmer 2016-05-11 07:58:19 UTC
CVE-2016-4574 for the dn.c off by one inside the invalid fix
Comment 8 Bernhard Wiedemann 2016-05-11 10:00:57 UTC
This is an autogenerated message for OBS integration:
This bug (979261) was mentioned in
https://build.opensuse.org/request/show/394785 13.2 / libksba
Comment 10 Bernhard Wiedemann 2016-05-13 14:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (979261) was mentioned in
https://build.opensuse.org/request/show/395170 13.2 / libksba
Comment 12 Swamp Workflow Management 2016-05-17 08:59:02 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-05-31.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62760
Comment 13 Swamp Workflow Management 2016-05-20 13:07:55 UTC
openSUSE-SU-2016:1370-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 979261
CVE References: CVE-2016-4574
Sources used:
openSUSE 13.2 (src):    libksba-1.3.1-12.1
Comment 14 Swamp Workflow Management 2016-06-07 12:08:10 UTC
SUSE-SU-2016:1509-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 979261,979906
CVE References: CVE-2016-4574,CVE-2016-4579
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libksba-1.0.4-1.25.1
SUSE Linux Enterprise Server 11-SP4 (src):    libksba-1.0.4-1.25.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libksba-1.0.4-1.25.1
Comment 15 Swamp Workflow Management 2016-06-07 12:08:38 UTC
SUSE-SU-2016:1510-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 979261,979906
CVE References: CVE-2016-4574,CVE-2016-4579
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libksba-1.3.0-23.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libksba-1.3.0-23.1
SUSE Linux Enterprise Server 12-SP1 (src):    libksba-1.3.0-23.1
SUSE Linux Enterprise Server 12 (src):    libksba-1.3.0-23.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libksba-1.3.0-23.1
SUSE Linux Enterprise Desktop 12 (src):    libksba-1.3.0-23.1
Comment 16 Swamp Workflow Management 2016-06-08 11:07:54 UTC
openSUSE-SU-2016:1525-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 979261,979906
CVE References: CVE-2016-4574,CVE-2016-4579
Sources used:
openSUSE Leap 42.1 (src):    libksba-1.3.0-7.1
Comment 17 Marcus Meissner 2016-06-21 07:10:20 UTC
released