[meta-core][PATCH 1/1] libksba: fix CVE-2022-3515

All of lore.kernel.org
 help / color / mirror / Atom feed

* [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
@ 2022-12-09  6:11 Manoj Saun
  2022-12-09  7:30 ` [OE-core] " Peter Kjellerstedt
  2022-12-09  7:57 ` Alexandre Belloni
  0 siblings, 2 replies; 4+ messages in thread
From: Manoj Saun @ 2022-12-09  6:11 UTC (permalink / raw)
  To: openembedded-core
  Cc: archana.polampalli, narpat.mali, hari.gpillai, Manoj Saun

libksba: integer overflow may lead to remote code execution.

Reference:
https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html

Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]

CVE: CVE-2022-3515

Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
---
 ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++
 meta/recipes-support/libksba/libksba_1.6.2.bb |  3 +-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch

diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
new file mode 100644
index 0000000000..e2cb842a4d
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb
index f6ecb9aec4..c25c23ef0f 100644
--- a/meta/recipes-support/libksba/libksba_1.6.2.bb
+++ b/meta/recipes-support/libksba/libksba_1.6.2.bb
@@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo
 
 UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
-           file://ksba-add-pkgconfig-support.patch"
+           file://ksba-add-pkgconfig-support.patch \
+           file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch"
 
 SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
 
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
  2022-12-09  6:11 [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515 Manoj Saun
@ 2022-12-09  7:30 ` Peter Kjellerstedt
  2022-12-09  7:57 ` Alexandre Belloni
  1 sibling, 0 replies; 4+ messages in thread
From: Peter Kjellerstedt @ 2022-12-09  7:30 UTC (permalink / raw)
  To: Manoj Saun, openembedded-core@lists.openembedded.org
  Cc: archana.polampalli@windriver.com, narpat.mali@windriver.com,
	hari.gpillai@windriver.com

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Manoj Saun
> Sent: den 9 december 2022 07:12
> To: openembedded-core@lists.openembedded.org
> Cc: archana.polampalli@windriver.com; narpat.mali@windriver.com; hari.gpillai@windriver.com; Manoj Saun <manojsingh.saun@windriver.com>
> Subject: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
> 
> libksba: integer overflow may lead to remote code execution.

May I suggest using the above as subject instead of the current subject? 
E.g.:

  libksba: Avoid integer overflow that may lead to remote code execution

It is much more informative about what the commit actually does than the 
CVE number. The CVE reference below should be enough for anyone looking 
for more information.

> 
> Reference:
> https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
> 
> Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
> 
> CVE: CVE-2022-3515
> 
> Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>

//Peter



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
  2022-12-09  6:11 [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515 Manoj Saun
  2022-12-09  7:30 ` [OE-core] " Peter Kjellerstedt
@ 2022-12-09  7:57 ` Alexandre Belloni
  1 sibling, 0 replies; 4+ messages in thread
From: Alexandre Belloni @ 2022-12-09  7:57 UTC (permalink / raw)
  To: Manoj Saun
  Cc: openembedded-core, archana.polampalli, narpat.mali, hari.gpillai

On 09/12/2022 06:11:30+0000, Manoj Saun wrote:
> libksba: integer overflow may lead to remote code execution.
> 
> Reference:
> https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
> 
> Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
> 
> CVE: CVE-2022-3515

Those two tags need to go in the patch you are adding, not only in your
commit log

> 
> Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
> ---
>  ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++
>  meta/recipes-support/libksba/libksba_1.6.2.bb |  3 +-
>  2 files changed, 44 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> 
> diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> new file mode 100644
> index 0000000000..e2cb842a4d
> --- /dev/null
> +++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> @@ -0,0 +1,42 @@
> +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
> +From: Werner Koch <wk@gnupg.org>
> +Date: Wed, 5 Oct 2022 14:19:06 +0200
> +Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
> +
> +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
> +used sum.
> +--
> +
> +It is quite common to have checks like
> +
> +    if (ti.nhdr + ti.length >= DIM(tmpbuf))
> +       return gpg_error (GPG_ERR_TOO_LARGE);
> +
> +This patch detects possible integer overflows immmediately when
> +creating the TI object.
> +
> +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
> +---
> + src/ber-help.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/src/ber-help.c b/src/ber-help.c
> +index 81c31ed..56efb6a 100644
> +--- a/src/ber-help.c
> ++++ b/src/ber-help.c
> +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
> +       ti->length = len;
> +     }
> + 
> ++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> ++    {
> ++      ti->err_string = "header+length would overflow";
> ++      return gpg_error (GPG_ERR_EOVERFLOW);
> ++    }
> ++
> +   /* Without this kludge some example certs can't be parsed */
> +   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
> +     ti->length = 0;
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb
> index f6ecb9aec4..c25c23ef0f 100644
> --- a/meta/recipes-support/libksba/libksba_1.6.2.bb
> +++ b/meta/recipes-support/libksba/libksba_1.6.2.bb
> @@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo
>  
>  UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
>  SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
> -           file://ksba-add-pkgconfig-support.patch"
> +           file://ksba-add-pkgconfig-support.patch \
> +           file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch"
>  
>  SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
>  
> -- 
> 2.34.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174430): https://lists.openembedded.org/g/openembedded-core/message/174430
> Mute This Topic: https://lists.openembedded.org/mt/95533228/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
@ 2022-12-08  6:27 Manoj Saun
  2022-12-08  9:23 ` [OE-core] " Alexandre Belloni
  0 siblings, 1 reply; 4+ messages in thread
From: Manoj Saun @ 2022-12-08  6:27 UTC (permalink / raw)
  To: openembedded-core; +Cc: narpat.mali, Manoj Saun

libksba: integer overflow may lead to remote code execution.

Reference:
https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html

Upstream fixes:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b

Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
---
 ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++
 meta/recipes-support/libksba/libksba_1.6.2.bb |  3 +-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch

diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
new file mode 100644
index 0000000000..e2cb842a4d
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
@@ -0,0 +1,42 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+
+It is quite common to have checks like
+
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
++++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
++    {
++      ti->err_string = "header+length would overflow";
++      return gpg_error (GPG_ERR_EOVERFLOW);
++    }
++
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb
index f6ecb9aec4..c25c23ef0f 100644
--- a/meta/recipes-support/libksba/libksba_1.6.2.bb
+++ b/meta/recipes-support/libksba/libksba_1.6.2.bb
@@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo
 
 UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
-           file://ksba-add-pkgconfig-support.patch"
+           file://ksba-add-pkgconfig-support.patch \
+           file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch"
 
 SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
 
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [OE-core] [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515
  2022-12-08  6:27 Manoj Saun
@ 2022-12-08  9:23 ` Alexandre Belloni
  0 siblings, 0 replies; 4+ messages in thread
From: Alexandre Belloni @ 2022-12-08  9:23 UTC (permalink / raw)
  To: Manoj Saun; +Cc: openembedded-core, narpat.mali

Hello,

On 08/12/2022 06:27:44+0000, Manoj Saun wrote:
> libksba: integer overflow may lead to remote code execution.
> 
> Reference:
> https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
> 
> Upstream fixes:
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b
> 

The patch is missing Upstream-Status:

Missing Upstream-Status tag (meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch)

> Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
> ---
>  ...e-overflow-directly-in-the-TLV-parse.patch | 42 +++++++++++++++++++
>  meta/recipes-support/libksba/libksba_1.6.2.bb |  3 +-
>  2 files changed, 44 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> 
> diff --git a/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> new file mode 100644
> index 0000000000..e2cb842a4d
> --- /dev/null
> +++ b/meta/recipes-support/libksba/libksba/0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch
> @@ -0,0 +1,42 @@
> +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
> +From: Werner Koch <wk@gnupg.org>
> +Date: Wed, 5 Oct 2022 14:19:06 +0200
> +Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
> +
> +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
> +used sum.
> +--
> +
> +It is quite common to have checks like
> +
> +    if (ti.nhdr + ti.length >= DIM(tmpbuf))
> +       return gpg_error (GPG_ERR_TOO_LARGE);
> +
> +This patch detects possible integer overflows immmediately when
> +creating the TI object.
> +
> +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
> +---
> + src/ber-help.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/src/ber-help.c b/src/ber-help.c
> +index 81c31ed..56efb6a 100644
> +--- a/src/ber-help.c
> ++++ b/src/ber-help.c
> +@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
> +       ti->length = len;
> +     }
> + 
> ++  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
> ++    {
> ++      ti->err_string = "header+length would overflow";
> ++      return gpg_error (GPG_ERR_EOVERFLOW);
> ++    }
> ++
> +   /* Without this kludge some example certs can't be parsed */
> +   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
> +     ti->length = 0;
> +-- 
> +2.34.1
> +
> diff --git a/meta/recipes-support/libksba/libksba_1.6.2.bb b/meta/recipes-support/libksba/libksba_1.6.2.bb
> index f6ecb9aec4..c25c23ef0f 100644
> --- a/meta/recipes-support/libksba/libksba_1.6.2.bb
> +++ b/meta/recipes-support/libksba/libksba_1.6.2.bb
> @@ -22,7 +22,8 @@ inherit autotools binconfig-disabled pkgconfig texinfo
>  
>  UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
>  SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
> -           file://ksba-add-pkgconfig-support.patch"
> +           file://ksba-add-pkgconfig-support.patch \
> +           file://0001-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch"
>  
>  SRC_URI[sha256sum] = "fce01ccac59812bddadffacff017dac2e4762bdb6ebc6ffe06f6ed4f6192c971"
>  
> -- 
> 2.34.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#174384): https://lists.openembedded.org/g/openembedded-core/message/174384
> Mute This Topic: https://lists.openembedded.org/mt/95533228/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-12-09  7:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-09  6:11 [meta-core][PATCH 1/1] libksba: fix CVE-2022-3515 Manoj Saun
2022-12-09  7:30 ` [OE-core] " Peter Kjellerstedt
2022-12-09  7:57 ` Alexandre Belloni
  -- strict thread matches above, loose matches on Subject: below --
2022-12-08  6:27 Manoj Saun
2022-12-08  9:23 ` [OE-core] " Alexandre Belloni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.