| Message ID | 20221209061130.3794053-1-manojsingh.saun@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-core,1/1] libksba: fix CVE-2022-3515 | expand |
> -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Manoj Saun > Sent: den 9 december 2022 07:12 > To: openembedded-core@lists.openembedded.org > Cc: archana.polampalli@windriver.com; narpat.mali@windriver.com; hari.gpillai@windriver.com; Manoj Saun <manojsingh.saun@windriver.com> > Subject: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515 > > libksba: integer overflow may lead to remote code execution. May I suggest using the above as subject instead of the current subject? E.g.: libksba: Avoid integer overflow that may lead to remote code execution It is much more informative about what the commit actually does than the CVE number. The CVE reference below should be enough for anyone looking for more information. > > Reference: > https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html > > Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b] > > CVE: CVE-2022-3515 > > Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com> //Peter
On 09/12/2022 06:11:30+0000, Manoj Saun wrote: > libksba: integer overflow may lead to remote code execution. > > Reference: > https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html > > Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b] > > CVE: CVE-2022-3515 Those two tags need to go in the patch you are adding, not only in your commit log > > Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com> > --- > ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++ > meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +- > 2 files changed, 44 insertions(+), 1 deletion(-) > create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch > > diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch > new file mode 100644 > index 0000000000..e2cb842a4d > --- /dev/null > +++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch > @@ -0,0 +1,42 @@ > +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001 > +From: Werner Koch <wk@gnupg.org> > +Date: Wed, 5 Oct 2022 14:19:06 +0200 > +Subject: [PATCH] Detect a possible overflow directly in the TLV parser. > + > +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly > +used sum. > +-- > + > +It is quite common to have checks like > + > + if (ti.nhdr + ti.length >= DIM(tmpbuf)) > + return gpg_error (GPG_ERR_TOO_LARGE); > + > +This patch detects possible integer overflows immmediately when > +creating the TI object. > + > +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 > +--- > + src/ber-help.c | 6 ++++++ > + 1 file changed, 6 insertions(+) > + > +diff --git a/src/ber-help.c b/src/ber-help.c > +index 81c31ed..56efb6a 100644 > +--- a/src/ber-help.c > ++++ b/src/ber-help.c > +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) > + ti->length = len; > + } > + > ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) > ++ { > ++ ti->err_string = "header+length would overflow"; > ++ return gpg_error (GPG_ERR_EOVERFLOW); > ++ } > ++ > + /* Without this kludge some example certs can't be parsed */ > + if (ti->class == CLASS_UNIVERSAL && !ti->tag) > + ti->length = 0; > +-- > +2.34.1 > + > diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb > index f6ecb9aec4..c25c23ef0f 100644 > --- a/meta/recipes-support/libksba/libksba_1.6.2.bb > +++ b/meta/recipes-support/libksba/libksba_1.6.2.bb > @@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo > > UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html" > SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ > - file://ksba-add-pkgconfig-support.patch" > + file://ksba-add-pkgconfig-support.patch \ > + file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch" > > SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971" > > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#174430): https://lists.openembedded.org/g/openembedded-core/message/174430 > Mute This Topic: https://lists.openembedded.org/mt/95533228/3617179 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch new file mode 100644 index 0000000000..e2cb842a4d --- /dev/null +++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch @@ -0,0 +1,42 @@ +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Wed, 5 Oct 2022 14:19:06 +0200 +Subject: [PATCH] Detect a possible overflow directly in the TLV parser. + +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly +used sum. +-- + +It is quite common to have checks like + + if (ti.nhdr + ti.length >= DIM(tmpbuf)) + return gpg_error (GPG_ERR_TOO_LARGE); + +This patch detects possible integer overflows immmediately when +creating the TI object. + +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 +--- + src/ber-help.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/ber-help.c b/src/ber-help.c +index 81c31ed..56efb6a 100644 +--- a/src/ber-help.c ++++ b/src/ber-help.c +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti) + ti->length = len; + } + ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) ++ { ++ ti->err_string = "header+length would overflow"; ++ return gpg_error (GPG_ERR_EOVERFLOW); ++ } ++ + /* Without this kludge some example certs can't be parsed */ + if (ti->class == CLASS_UNIVERSAL && !ti->tag) + ti->length = 0; +-- +2.34.1 + diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb index f6ecb9aec4..c25c23ef0f 100644 --- a/meta/recipes-support/libksba/libksba_1.6.2.bb +++ b/meta/recipes-support/libksba/libksba_1.6.2.bb @@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ - file://ksba-add-pkgconfig-support.patch" + file://ksba-add-pkgconfig-support.patch \ + file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch" SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
libksba: integer overflow may lead to remote code execution. Reference: https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b] CVE: CVE-2022-3515 Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com> --- ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++ meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch