src/ber-decoder.c | 30 18 + 12 - 0 !
1 file changed, 18 insertions(+), 12 deletions(-)

 [patch] do not abort on decoder stack overflow.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* src/ber-decoder.c (push_decoder_state, pop_decoder_state): Return an
error code.
(set_error): Prefix error message with "ksba:". Act on new return code.
(decoder_next): Act on new return code.
--

This changes the behaviour from

  gpgsm: unknown hash algorithm '1.8.48.48.48.48.48.48.48.48'
  gpgsm: detached signature w/o data - assuming certs-only
  ERROR: decoder stack overflow!
  Aborted

to

  gpgsm: detached signature w/o data - assuming certs-only
  ksba: ber-decoder: stack overflow!
  gpgsm: ksba_cms_parse failed: Limit reached

Use "gpgsm --verify FILE" to exhibit the problem.  FILE is

src/ber-decoder.c | 71 54 + 17 - 0 !
1 file changed, 54 insertions(+), 17 deletions(-)

 [patch] fix integer overflow in the ber decoder.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* src/ber-decoder.c (ber_decoder_s): Change val.length from int to
size_t.
(sum_a1_a2_gt_b, sum_a1_a2_ge_b): New.
(decoder_next): Check for integer overflow.  Use new sum function for
size check.
(_ksba_ber_decoder_dump): Use size_t for n to match change of
val.length.  Adjust printf fomrat.  Check for integer overflow and use
gpg_error_from_syserror instead of GPG_ERR_ENOMEM.
(_ksba_ber_decoder_decode): Use new sum function for size check.
Check for integer overflow.  Use size_t for n to match change of
val.length.
--

The actual bug described below is due to assigning an int
(val.length) to a size_t (ti.length).  The int was too large and thus
negative so that the condition to check for too large objects didn't
worked.  Changing the type would have been enough but other conditions
are possible.  Thus the introduction of sum_a1_a2_ge_b for overflow
checking and checks when adding 100 extra bytes to malloc calls are
added.

Use "gpgsm --verify FILE" to exhibit the problem.  FILE is

src/dn.c | 44 27 + 17 - 0 !
1 file changed, 27 insertions(+), 17 deletions(-)

 [patch] fix encoding of invalid utf-8 strings in dn.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* src/dn.c (append_quoted, append_atv): Use snprintf.
(append_utf8_value): Fix invalid encoding handling.
--

An invalid utf-8 encoding will make the loop in append_utf8_value run
once more with N > length which is not found by the termination
condition and only the former assert terminates the process if the byte
following the bad encoding has the high bit cleared.  This will lead
to a read access out of bounds.

The patch removes the assert and fixes the handling of bad encoding.
Due to the new quoting the output of a badly encoded utf-8 string will

src/dn.c | 5 1 + 4 - 0 !
1 file changed, 1 insertion(+), 4 deletions(-)

 [patch] fix an oob read access in _ksba_dn_to_str.

* src/dn.c (append_utf8_value): Use a straightforward check to fix an
off-by-one.
--

The old fix for the problem from April 2015 had an off-by-one in the
bad encoding handing.

Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3
GnuPG-bug-id: 2344
Reported-by: Pascal Cuoq
Signed-off-by: Werner Koch <wk@gnupg.org>

src/ber-help.c | 6 6 + 0 - 0 !
src/cert.c | 23 22 + 1 - 0 !
src/name.c | 2 1 + 1 - 0 !
src/ocsp.c | 2 2 + 0 - 0 !
4 files changed, 31 insertions(+), 2 deletions(-)

 [patch] fix possible read access beyond the buffer.

* src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check.
* src/cert.c (ksba_cert_get_cert_policies): Check TLV given length
against buffer length.
(ksba_cert_get_ext_key_usages): Ditto.
* src/ocsp.c (parse_asntime_into_isotime): Ditto.
--

The returned length of the object from _ksba_ber_parse_tl (ti.length)
was not always checked against the actual buffer length, thus leading
to a read access after the end of the buffer and thus a segv.

GnuPG-bug-id: 2344
Reported-by: Pascal Cuoq
Signed-off-by: Werner Koch <wk@gnupg.org>