Version in base suite: 1.5.0-3+deb11u1 Base version: libksba_1.5.0-3+deb11u1 Target version: libksba_1.5.0-3+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libk/libksba/libksba_1.5.0-3+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libk/libksba/libksba_1.5.0-3+deb11u2.dsc changelog | 8 + patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch | 73 ++++++++++ patches/series | 1 3 files changed, 82 insertions(+) diff -Nru libksba-1.5.0/debian/changelog libksba-1.5.0/debian/changelog --- libksba-1.5.0/debian/changelog 2022-10-17 16:36:34.000000000 +0000 +++ libksba-1.5.0/debian/changelog 2022-12-20 17:22:50.000000000 +0000 @@ -1,3 +1,11 @@ +libksba (1.5.0-3+deb11u2) bullseye-security; urgency=high + + * 25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch from 1.6.3 + release: Fix an integer overflow in the CRL signature parser. + https://dev.gnupg.org/T6284 + + -- Andreas Metzler Tue, 20 Dec 2022 18:22:50 +0100 + libksba (1.5.0-3+deb11u1) bullseye-security; urgency=high * 20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch from diff -Nru libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch --- libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch 1970-01-01 00:00:00.000000000 +0000 +++ libksba-1.5.0/debian/patches/25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch 2022-12-20 17:21:35.000000000 +0000 @@ -0,0 +1,73 @@ +From f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Tue, 22 Nov 2022 16:36:46 +0100 +Subject: [PATCH] Fix an integer overflow in the CRL signature parser. + +* src/crl.c (parse_signature): N+N2 now checked for overflow. + +* src/ocsp.c (parse_response_extensions): Do not accept too large +values. +(parse_single_extensions): Ditto. +-- + +The second patch is an extra safegourd not related to the reported +bug. + +GnuPG-bug-id: 6284 +Reported-by: Joseph Surin, elttam +--- + src/crl.c | 2 +- + src/ocsp.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/src/crl.c ++++ b/src/crl.c +@@ -1347,11 +1347,11 @@ parse_signature (ksba_crl_t crl) + return err; + if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_BIT_STRING + && !ti.is_constructed) ) + return gpg_error (GPG_ERR_INV_CRL_OBJ); + n2 = ti.nhdr + ti.length; +- if (n + n2 >= DIM(tmpbuf)) ++ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf+n, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); + if (err) + return err; +--- a/src/ocsp.c ++++ b/src/ocsp.c +@@ -712,10 +712,16 @@ parse_response_extensions (ksba_ocsp_t o + || memcmp (ocsp->nonce, data, ti.length)) + ocsp->bad_nonce = 1; + else + ocsp->good_nonce = 1; + } ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { + err = gpg_error_from_syserror (); + goto leave; +@@ -779,10 +785,16 @@ parse_single_extensions (struct ocsp_req + if (err) + goto leave; + err = parse_octet_string (&data, &datalen, &ti); + if (err) + goto leave; ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { + err = gpg_error_from_syserror (); + goto leave; diff -Nru libksba-1.5.0/debian/patches/series libksba-1.5.0/debian/patches/series --- libksba-1.5.0/debian/patches/series 2022-10-17 16:36:34.000000000 +0000 +++ libksba-1.5.0/debian/patches/series 2022-12-20 17:22:17.000000000 +0000 @@ -1,3 +1,4 @@ 0001-fix-win32-linker.patch 10_Fix-a-possible-segv-in-case-of-an-unknown-CMS-object.patch 20_Detect-a-possible-overflow-directly-in-the-TLV-parse.patch +25-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch