diff --git a/SOURCES/libksba-1.5.1-overflow.patch b/SOURCES/libksba-1.5.1-overflow.patch index d4206de..c37f135 100644 --- a/SOURCES/libksba-1.5.1-overflow.patch +++ b/SOURCES/libksba-1.5.1-overflow.patch @@ -40,3 +40,65 @@ index 81c31ed..56efb6a 100644 -- 2.37.3 +commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 +Author: Werner Koch +Date: Tue Nov 22 16:36:46 2022 +0100 + + Fix an integer overflow in the CRL signature parser. + + * src/crl.c (parse_signature): N+N2 now checked for overflow. + + * src/ocsp.c (parse_response_extensions): Do not accept too large + values. + (parse_single_extensions): Ditto. + -- + + The second patch is an extra safegourd not related to the reported + bug. + + GnuPG-bug-id: 6284 + Reported-by: Joseph Surin, elttam + +diff --git a/src/crl.c b/src/crl.c +index 9f71c85..2e6ca29 100644 +--- a/src/crl.c ++++ b/src/crl.c +@@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl) + && !ti.is_constructed) ) + return gpg_error (GPG_ERR_INV_CRL_OBJ); + n2 = ti.nhdr + ti.length; +- if (n + n2 >= DIM(tmpbuf)) ++ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf+n, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); +diff --git a/src/ocsp.c b/src/ocsp.c +index d4cba04..657d15f 100644 +--- a/src/ocsp.c ++++ b/src/ocsp.c +@@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp, + else + ocsp->good_nonce = 1; + } ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +@@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri, + err = parse_octet_string (&data, &datalen, &ti); + if (err) + goto leave; ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { diff --git a/SPECS/libksba.spec b/SPECS/libksba.spec index 0c85a47..0b267ec 100644 --- a/SPECS/libksba.spec +++ b/SPECS/libksba.spec @@ -1,7 +1,7 @@ Summary: CMS and X.509 library Name: libksba Version: 1.5.1 -Release: 5%{?dist} +Release: 6%{?dist} # The library is licensed under LGPLv3+ or GPLv2+, # the rest of the package under GPLv3+ @@ -88,6 +88,9 @@ make check * Wed Mar 15 2023 MSVSphere Packaging Team - 1.5.1-4 - Rebuilt for MSVSphere 9.1. +* Wed Jan 25 2023 Jakub Jelen - 1.5.1-6 +- Fix for CVE-2022-47629 (#2161571) + * Wed Oct 19 2022 Jakub Jelen - 1.5.1-5 - Fix for CVE-2022-3515 (#2135703)