Package: libksba / 1.3.2-1+deb8u1
Metadata
Package | Version | Patches format |
---|---|---|
libksba | 1.3.2-1+deb8u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
Do not abort on decoder stack overflow.patch | (download) |
src/ber-decoder.c |
30 18 + 12 - 0 ! |
[patch] do not abort on decoder stack overflow. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/ber-decoder.c (push_decoder_state, pop_decoder_state): Return an error code. (set_error): Prefix error message with "ksba:". Act on new return code. (decoder_next): Act on new return code. -- This changes the behaviour from gpgsm: unknown hash algorithm '1.8.48.48.48.48.48.48.48.48' gpgsm: detached signature w/o data - assuming certs-only ERROR: decoder stack overflow! Aborted to gpgsm: detached signature w/o data - assuming certs-only ksba: ber-decoder: stack overflow! gpgsm: ksba_cms_parse failed: Limit reached Use "gpgsm --verify FILE" to exhibit the problem. FILE is |
Fix integer overflow in the BER decoder.patch | (download) |
src/ber-decoder.c |
71 54 + 17 - 0 ! |
[patch] fix integer overflow in the ber decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/ber-decoder.c (ber_decoder_s): Change val.length from int to size_t. (sum_a1_a2_gt_b, sum_a1_a2_ge_b): New. (decoder_next): Check for integer overflow. Use new sum function for size check. (_ksba_ber_decoder_dump): Use size_t for n to match change of val.length. Adjust printf fomrat. Check for integer overflow and use gpg_error_from_syserror instead of GPG_ERR_ENOMEM. (_ksba_ber_decoder_decode): Use new sum function for size check. Check for integer overflow. Use size_t for n to match change of val.length. -- The actual bug described below is due to assigning an int (val.length) to a size_t (ti.length). The int was too large and thus negative so that the condition to check for too large objects didn't worked. Changing the type would have been enough but other conditions are possible. Thus the introduction of sum_a1_a2_ge_b for overflow checking and checks when adding 100 extra bytes to malloc calls are added. Use "gpgsm --verify FILE" to exhibit the problem. FILE is |
Fix encoding of invalid utf 8 strings in dn.c.patch | (download) |
src/dn.c |
44 27 + 17 - 0 ! |
[patch] fix encoding of invalid utf-8 strings in dn.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * src/dn.c (append_quoted, append_atv): Use snprintf. (append_utf8_value): Fix invalid encoding handling. -- An invalid utf-8 encoding will make the loop in append_utf8_value run once more with N > length which is not found by the termination condition and only the former assert terminates the process if the byte following the bad encoding has the high bit cleared. This will lead to a read access out of bounds. The patch removes the assert and fixes the handling of bad encoding. Due to the new quoting the output of a badly encoded utf-8 string will |
Fix an OOB read access in _ksba_dn_to_str.patch | (download) |
src/dn.c |
5 1 + 4 - 0 ! |
[patch] fix an oob read access in _ksba_dn_to_str. * src/dn.c (append_utf8_value): Use a straightforward check to fix an off-by-one. -- The old fix for the problem from April 2015 had an off-by-one in the bad encoding handing. Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 GnuPG-bug-id: 2344 Reported-by: Pascal Cuoq Signed-off-by: Werner Koch <wk@gnupg.org> |
Fix possible read access beyond the buffer.patch | (download) |
src/ber-help.c |
6 6 + 0 - 0 ! |
[patch] fix possible read access beyond the buffer. * src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check. * src/cert.c (ksba_cert_get_cert_policies): Check TLV given length against buffer length. (ksba_cert_get_ext_key_usages): Ditto. * src/ocsp.c (parse_asntime_into_isotime): Ditto. -- The returned length of the object from _ksba_ber_parse_tl (ti.length) was not always checked against the actual buffer length, thus leading to a read access after the end of the buffer and thus a segv. GnuPG-bug-id: 2344 Reported-by: Pascal Cuoq Signed-off-by: Werner Koch <wk@gnupg.org> |