Date: Fri, 29 Apr 2016 12:13:08 -0400 (EDT) From: cve-assign@...re.org To: mprpic@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: three issues in libksba -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Denial of Service due to stack overflow in src/ber-decoder.c > http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=07116a314f4dcd4d96990bbd74db95a03a9f650a Use CVE-2016-4353. (This CVE is about changing the type of error handling after a decoder stack overflow. It is not about changing the decoder so that a decoder stack overflow occurs in fewer cases.) > Integer overflow in the BER decoder src/ber-decoder.c > http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887 >> The actual bug described below is due to assigning an int >> (val.length) to a size_t (ti.length). The int was too large and thus >> negative so that the condition to check for too large objects didn't >> worked. Changing the type would have been enough but other conditions >> are possible. Thus the introduction of sum_a1_a2_ge_b for overflow >> checking and checks when adding 100 extra bytes to malloc calls are >> added. We consider this two separate issues. Use CVE-2016-4354 for the use of an incorrect integer data type. Use CVE-2016-4355 for the cases in which the code was simply making no attempt to check for an integer overflow (the "+ 100" cases and the "+= d->val.length" case). > Integer overflow in the DN decoder src/dn.c > http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3 This might be an error in the original https://security.gentoo.org/glsa/201604-04 advisory. We did not notice any obvious relationship between 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 and an integer overflow fix. The 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 commit message seems to focus on "read access out of bounds." Also, there is no other recent commit at http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=history;f=src/dn.c that refers to an integer overflow. Possibly there was an inapplicable copy-and-paste of "Integer overflow in the" from the previous report about the BER decoder. Use CVE-2016-4356 for the 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 issue that is described as "Fix encoding of invalid utf-8 strings in dn.c" and "read access out of bounds." - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXI4eHAAoJEHb/MwWLVhi2ZvoP/0tfBkT4Iqjsya7V3BthT3ne p9wDYxI8Tre5Qza/lteablh3FicO4I8e4EFjghxYEd51lbVXerJBJNqo3vcZsDzD 2lozbI0YooCsiE9Z2kESUFpT4agPg2yLamjFqmw4kxK71RTq+FDke5GTmbAK05WR ir4VoTsK1qPUB6mcq2qqylXjs/ulGL/pkd6SuJJAVp9YEExh2kgiey+1KtIDGeij 4NnzJ5a7syT6VxyX/JfwNaLuNlfv6vddqJyp7NWAa/0B3y7n+6gjyVjyAuwZYsiN wbVJOw9p6TSVPp1VX7GOoxj/bWn9fiOfMzCsun0Oajq4Te9aXrCZODy9aWivaRlH 2XMFUEHfELQV8UzvwJb1hA1PISzvzYheWxSNyncxiojKvJbKmi8UvrkVWYUXaGKl OFO6DcsoCnVpYwMAelN5Ir1hgsJ6dr73ssxuVFgO9jwAteDoqikE8HFVm5cJTELP q6Q9QecnHAA7aJ32PqcGd2sd10+majAejMZV5MZpoLTWUkH/1+olFGR1njpvegyK tepkG9onPWFXQ2iUbTpUxQzmgYYNrwdtmU+0TgFKXOcfLV8W88w7v22sfdhLUgj0 sm4ckXuxB0fO+6TyVo/ZRVibm7UPjacrubB8f65lUTUldbx+3Wtwgl3+MWAKbpT4 TBr+InX8c9ul3DacR4iv =u1+d -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ