* Re: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
2022-12-08 6:27 Manoj Saun
@ 2022-12-08 9:23 ` Alexandre Belloni
0 siblings, 0 replies; 4+ messages in thread
From: Alexandre Belloni @ 2022-12-08 9:23 UTC (permalink / raw)
To: Manoj Saun; +Cc: openembedded-core, narpat.mali
Hello,
On 08/12/2022 06:27:44+0000, Manoj Saun wrote:
> libksba: integer overflow may lead to remote code execution.
>
> Reference:
> https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
>
> Upstream fixes:
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b
>
The patch is missing Upstream-Status:
Missing Upstream-Status tag (meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch)
> Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
> ---
> ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++
> meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +-
> 2 files changed, 44 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
>
> diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> new file mode 100644
> index 0000000000..e2cb842a4d
> --- /dev/null
> +++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> @@ -0,0 +1,42 @@
> +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
> +From: Werner Koch <wk@gnupg.org>
> +Date: Wed, 5 Oct 2022 14:19:06 +0200
> +Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
> +
> +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
> +used sum.
> +--
> +
> +It is quite common to have checks like
> +
> + if (ti.nhdr + ti.length >= DIM(tmpbuf))
> + return gpg_error (GPG_ERR_TOO_LARGE);
> +
> +This patch detects possible integer overflows immmediately when
> +creating the TI object.
> +
> +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
> +---
> + src/ber-help.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/src/ber-help.c b/src/ber-help.c
> +index 81c31ed..56efb6a 100644
> +--- a/src/ber-help.c
> ++++ b/src/ber-help.c
> +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
> + ti->length = len;
> + }
> +
> ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> ++ {
> ++ ti->err_string = "header+length would overflow";
> ++ return gpg_error (GPG_ERR_EOVERFLOW);
> ++ }
> ++
> + /* Without this kludge some example certs can't be parsed */
> + if (ti->class == CLASS_UNIVERSAL && !ti->tag)
> + ti->length = 0;
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb
> index f6ecb9aec4..c25c23ef0f 100644
> --- a/meta/recipes-support/libksba/libksba_1.6.2.bb
> +++ b/meta/recipes-support/libksba/libksba_1.6.2.bb
> @@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo
>
> UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
> SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
> - file://ksba-add-pkgconfig-support.patch"
> + file://ksba-add-pkgconfig-support.patch \
> + file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch"
>
> SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174384): https://lists.openembedded.org/g/openembedded-core/message/174384
> Mute This Topic: https://lists.openembedded.org/mt/95533228/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
@ 2022-12-09 6:11 Manoj Saun
2022-12-09 7:30 ` [OE-core] " Peter Kjellerstedt
2022-12-09 7:57 ` Alexandre Belloni
0 siblings, 2 replies; 4+ messages in thread
From: Manoj Saun @ 2022-12-09 6:11 UTC (permalink / raw)
To: openembedded-core
Cc: archana.polampalli, narpat.mali, hari.gpillai, Manoj Saun
libksba: integer overflow may lead to remote code execution.
Reference:
https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
CVE: CVE-2022-3515
Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
---
...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++
meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +-
2 files changed, 44 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
new file mode 100644
index 0000000000..e2cb842a4d
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+ if (ti.nhdr + ti.length >= DIM(tmpbuf))
+ return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+ ti->length = len;
+ }
+
++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++ {
++ ti->err_string = "header+length would overflow";
++ return gpg_error (GPG_ERR_EOVERFLOW);
++ }
++
+ /* Without this kludge some example certs can't be parsed */
+ if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+ ti->length = 0;
+--
+2.34.1
+
diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb
index f6ecb9aec4..c25c23ef0f 100644
--- a/meta/recipes-support/libksba/libksba_1.6.2.bb
+++ b/meta/recipes-support/libksba/libksba_1.6.2.bb
@@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo
UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
- file://ksba-add-pkgconfig-support.patch"
+ file://ksba-add-pkgconfig-support.patch \
+ file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch"
SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
2022-12-09 6:11 [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515 Manoj Saun
@ 2022-12-09 7:30 ` Peter Kjellerstedt
2022-12-09 7:57 ` Alexandre Belloni
1 sibling, 0 replies; 4+ messages in thread
From: Peter Kjellerstedt @ 2022-12-09 7:30 UTC (permalink / raw)
To: Manoj Saun, openembedded-core@lists.openembedded.org
Cc: archana.polampalli@windriver.com, narpat.mali@windriver.com,
hari.gpillai@windriver.com
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Manoj Saun
> Sent: den 9 december 2022 07:12
> To: openembedded-core@lists.openembedded.org
> Cc: archana.polampalli@windriver.com; narpat.mali@windriver.com; hari.gpillai@windriver.com; Manoj Saun <manojsingh.saun@windriver.com>
> Subject: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
>
> libksba: integer overflow may lead to remote code execution.
May I suggest using the above as subject instead of the current subject?
E.g.:
libksba: Avoid integer overflow that may lead to remote code execution
It is much more informative about what the commit actually does than the
CVE number. The CVE reference below should be enough for anyone looking
for more information.
>
> Reference:
> https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
>
> Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
>
> CVE: CVE-2022-3515
>
> Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
//Peter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
2022-12-09 6:11 [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515 Manoj Saun
2022-12-09 7:30 ` [OE-core] " Peter Kjellerstedt
@ 2022-12-09 7:57 ` Alexandre Belloni
1 sibling, 0 replies; 4+ messages in thread
From: Alexandre Belloni @ 2022-12-09 7:57 UTC (permalink / raw)
To: Manoj Saun
Cc: openembedded-core, archana.polampalli, narpat.mali, hari.gpillai
On 09/12/2022 06:11:30+0000, Manoj Saun wrote:
> libksba: integer overflow may lead to remote code execution.
>
> Reference:
> https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
>
> Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
>
> CVE: CVE-2022-3515
Those two tags need to go in the patch you are adding, not only in your
commit log
>
> Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
> ---
> ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++
> meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +-
> 2 files changed, 44 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
>
> diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> new file mode 100644
> index 0000000000..e2cb842a4d
> --- /dev/null
> +++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> @@ -0,0 +1,42 @@
> +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
> +From: Werner Koch <wk@gnupg.org>
> +Date: Wed, 5 Oct 2022 14:19:06 +0200
> +Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
> +
> +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
> +used sum.
> +--
> +
> +It is quite common to have checks like
> +
> + if (ti.nhdr + ti.length >= DIM(tmpbuf))
> + return gpg_error (GPG_ERR_TOO_LARGE);
> +
> +This patch detects possible integer overflows immmediately when
> +creating the TI object.
> +
> +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
> +---
> + src/ber-help.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/src/ber-help.c b/src/ber-help.c
> +index 81c31ed..56efb6a 100644
> +--- a/src/ber-help.c
> ++++ b/src/ber-help.c
> +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
> + ti->length = len;
> + }
> +
> ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> ++ {
> ++ ti->err_string = "header+length would overflow";
> ++ return gpg_error (GPG_ERR_EOVERFLOW);
> ++ }
> ++
> + /* Without this kludge some example certs can't be parsed */
> + if (ti->class == CLASS_UNIVERSAL && !ti->tag)
> + ti->length = 0;
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb
> index f6ecb9aec4..c25c23ef0f 100644
> --- a/meta/recipes-support/libksba/libksba_1.6.2.bb
> +++ b/meta/recipes-support/libksba/libksba_1.6.2.bb
> @@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo
>
> UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
> SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
> - file://ksba-add-pkgconfig-support.patch"
> + file://ksba-add-pkgconfig-support.patch \
> + file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch"
>
> SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
>
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174430): https://lists.openembedded.org/g/openembedded-core/message/174430
> Mute This Topic: https://lists.openembedded.org/mt/95533228/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-12-09 7:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-09 6:11 [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515 Manoj Saun
2022-12-09 7:30 ` [OE-core] " Peter Kjellerstedt
2022-12-09 7:57 ` Alexandre Belloni
-- strict thread matches above, loose matches on Subject: below --
2022-12-08 6:27 Manoj Saun
2022-12-08 9:23 ` [OE-core] " Alexandre Belloni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.