Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Nov 2014 14:42:33 +0100
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: CVE Assignments MITRE <>
Subject: CVE Request: buffer overflow in ksba_oid_to_str in Libksba


Today a new upstream version for Libksba (1.3.2) was announced. The
upstream advisory mention following impact:

> Impact of the security bug
> ==========================
> By using special crafted S/MIME messages or ECC based OpenPGP data, it
> is possible to create a buffer overflow.  The bug is not easy to exploit
> because there only 80 possible values which can be used to overwrite
> memory.  However, a denial of service is possible and someone may come
> up with other clever attacks.  Thus this should be fix.
> Affected versions: All Libksba versions < 1.3.2
> Background: Yesterday Hanno Böck found an invalid memory access in the
> 2.1 branch of GnuPG by conveying a malformed OID as part of an ECC key.
> It turned out that this bug has also been in libksba ever since and
> affects at least gpgsm and dirmngr.  The code to convert an OID to its
> string representation has an obvious error of not considering an invalid
> encoding for arc-2.  A first byte of 0x80 can be used to make a value of
> less then 80 and we then subtract 80 from it as required by the OID
> encoding rules.  Due to the use of an unsigned integer this results in a
> pretty long value which won't fit anymore into the allocated buffer.
> The actual fix for lib Libksba is commit f715b9e.

Upstream fix:;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7

Can a CVE be assigned for this issue in libksba (if not already requested).


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.