Another integer overflow in Libksba
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• werner
	Nov 22 2022, 4:54 PM

Description

In the aftermath of the libksba 1.6.2 release (T6230) another integer overflow was found. This time in the CRL's signature parser. The bug has been fixed in version 1.6.3 (T6304).

Details

Due Date: Dec 20 2022, 12:00 AM
External Link: https://gnupg.org/blog/20221017-pepe-left-the-ksba.html
Version: 1.6.3

Revisions and Commits

rK libksba
	rKf61a5ea4e0f6 Fix an integer overflow in the CRL signature parser.

Related Objects

Mentioned In: rD788efa7ef2f3: web: Noted CVE for T6284
T6304: Release Libksba 1.6.3
Mentioned Here: T6230: Release Libksba 1.6.2 (CVE-2022-3515)
T6304: Release Libksba 1.6.3

Event Timeline

• werner triaged this task as Unbreak Now! priority.Nov 22 2022, 4:54 PM

• werner created this task.

• werner created this object in space Restricted Space.

• werner created this object with edit policy "Contributor (Project)".

Here is the patch which will go into the next release

From f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 22 Nov 2022 16:36:46 +0100
Subject: [PATCH] Fix an integer overflow in the CRL signature parser.

* src/crl.c (parse_signature): N+N2 now checked for overflow.

* src/ocsp.c (parse_response_extensions): Do not accept too large
values.
(parse_single_extensions): Ditto.
--

The second patch is an extra safegourd not related to the reported
bug.

GnuPG-bug-id: 6284
Reported-by: Joseph Surin, elttam
---
 src/crl.c  |  2 +-
 src/ocsp.c | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/crl.c b/src/crl.c
index 9f71c85..2e6ca29 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl)
          && !ti.is_constructed) )
     return gpg_error (GPG_ERR_INV_CRL_OBJ);
   n2 = ti.nhdr + ti.length;
-  if (n + n2 >= DIM(tmpbuf))
+  if (n + n2 >= DIM(tmpbuf) || (n + n2) < n)
     return gpg_error (GPG_ERR_TOO_LARGE);
   memcpy (tmpbuf+n, ti.buf, ti.nhdr);
   err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length);
diff --git a/src/ocsp.c b/src/ocsp.c
index d4cba04..657d15f 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp,
               || memcmp (ocsp->nonce, data, ti.length))
             ocsp->bad_nonce = 1;
         }
+      if (ti.length > (1<<24))
+        {
+          /* Bail out on much too large objects.  */
+          err = gpg_error (GPG_ERR_BAD_BER);
+          goto leave;
+        }
       ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
       if (!ex)
         {
@@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri,
       err = parse_octet_string (&data, &datalen, &ti);
       if (err)
         goto leave;
+      if (ti.length > (1<<24))
+        {
+          /* Bail out on much too large objects.  */
+          err = gpg_error (GPG_ERR_BAD_BER);
+          goto leave;
+        }
       ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
       if (!ex)
         {
-- 
2.32.0