I just released 1.3.4 and thus closing this bug and 2342 and 2343. Thanks again
for you help.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
May 3 2016
Fixed with commit 3f74c2c. Thanks.
The use in cert-basic is correct because get_oid_desc accepst a NULL pointer.
However, some libc versions bail out on a NULL for "%s"; I fixed that too.
Fixed with commit 6be61da.
The old fix for the problem from April 2015 had an off-by-one in the
bad encoding handling. Now using simpler code.
Fixed with commit a7eed17 . Thanks.
I also checked all other places to ensure that the tag length returned from
_ksba_ber_parse_tl is within the bounds.
May 1 2016
The file oid_oob_big.crt would cause the function ksba_oid_to_str() to be called with a “length” argument of
- This is what execution in tis-interpreter (in which allocations always succeed) shows:
…
48
83
A5
this is not going to end well: length=3100166514561975041
src/oid.c:105:[kernel] warning: out of bounds read. assert \valid_read(buf_0+n);
stack: _ksba_oid_to_str :: src/cert.c:1462 <- _ksba_cert_get_ext_key_usages :: src/visibility.c:259 <- ksba_cert_get_ext_key_usages :: tests/cert-basic.c:265 <- list_extensions :: tests/cert-basic.c:545 <- one_file :: tests/cert-basic.c:592 <- main
“Fortunately”, for the file oid_oob_big.crt, execution of the program tests/cert-basic differs in that a memory
allocation fails:
$ ./tests/cert-basic ../../libksba-1.3.3/oid_oob_big.crt
Certificate in `../../libksba-1.3.3/oid_oob_big.crt':
serial....: (#04#) issuer....: `1.2.840.113549.1.9.1=#696E73656375726540746573742E696E736563757265,CN=For Tests
Only,O=InsecureTestCertificate,C=de'
aka: `<insecure@test.insecure>' subject...: `1.2.840.113549.1.9.1=#696E73656375726540746573742E696E736563757265,CN=Insecure Server
Cert,O=InsecureTestCertificate,C=de'
aka: `<insecure@test.insecure>' notBefore.: 2001-08-17 08:46:24 notAfter..: 2006-08-16 08:46:24 hash algo.: 1.2.840.113549.1.1.4
Extn: 2.5.29.15 at 474 with length 4
Extn: 2.5.29.37 at 487 with length 12
Extn: 2.5.29.14 at 508 with length 22
Extn: 2.5.29.35 at 541 with length 145
Extn: 2.5.29.17 at 695 with length 26
Extn: 2.5.29.18 at 730 with length 26
Extn: 2.16.840.1.113730.1.1 at 771 with length 4
Extn: 2.16.840.1.113730.1.13 at 790 with length 47
SubjectKeyIdentifier: (#0234E2C906F6E0B44253BE04C0CBA7823A6DB509#)
AuthorityKeyIdentifier: 1.2.840.113549.1.9.1=#696E73656375726540746573742E696E736563757265,CN=For Tests
Only,O=InsecureTestCertificate,C=de
serial: (#00#) keyIdentifier: (#BF53438278D09EC380E51B67CA0500DFB94883A5#)
KeyUsage: digitalSignature keyEncipherment keyAgreement
cert-basic.c:271: ksba_cert_ext_key_usages failed: Cannot allocate memory
CertificatePolicies: none
Regardless, between themselves, the two files oid_oob_big.crt and oid_oob_small.crt shows that an attacker seems to have
many possibilities for crafting a malicious certificate that crashes in ksba_oid_to_str() called from
ksba_cert_get_ext_key_usages().
Apr 29 2016
Apr 10 2015
This has been fixed in libgpg-error and the gpg-error.m4 macros have been
updated in all gnupg related libraries.
Mar 10 2015
No c+p of warnings please! Use gnupg-devel instead.
Use gnupg-devel for such things.
(If you want to provide a fix, please provide a diff and not the complete file.)
No c+p of warnings please! Use gnupg-devel for such things.
No c+p of warnings please! Use gnupg-devel for such things.
No c+p of warnings please! Use gnupg-devel for such things.
No c+p of warnings please! Use gnupg-devel for such things.
No c+p of warnings please! Use gnupg-devel for such things.
No c+p of warnings please! Use gnupg-devel for such things.
Mar 6 2015
Changed status to 'unread'. I'm not chatting.
Updated cert.c which initializes the variable algo.
Updated status to 'unread'. I'm not chatting.
Updated to include line numbers.
54400==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 240 byte(s) in 12 object(s) allocated from:
#0 0x49f45b in __interceptor_malloc
/home/gpg-user/Clang-3.5/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x5462d0 in _ksba_oid_to_str
/home/gpg-user/gcrypt-2.0-sanitize/libksba-1.3.2/src/oid.c:75:16
#2 0x4bcce9 in main
/home/gpg-user/gcrypt-2.0-sanitize/libksba-1.3.2/tests/t-oid.c:164:7
#3 0x2b8edcf1aec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
Direct leak of 58 byte(s) in 2 object(s) allocated from:
#0 0x49f45b in __interceptor_malloc
/home/gpg-user/Clang-3.5/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
#1 0x5570e4 in _ksba_strdup
/home/gpg-user/gcrypt-2.0-sanitize/libksba-1.3.2/src/util.c:162:13
#2 0x4bcce9 in main
/home/gpg-user/gcrypt-2.0-sanitize/libksba-1.3.2/tests/t-oid.c:164:7
#3 0x2b8edcf1aec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: 298 byte(s) leaked in 14 allocation(s).
FAIL: t-oid
1 of 4 tests failed
Please report to http://bugs.gnupg.org
Attached is the script I am using to acceptance test the suite. It requires
Clang 3.5 (Clang 3.5 recipe was provided with Bug 1872).
Mar 5 2015
Nov 27 2014
Nov 25 2014
Ah yes, I had that before in our build system where RUNPATH is passed via LD_OPTIONS.
If I pass the flags via LDFLAGS it works.
Thanks! -- Dago
That pretty much looks like you are using this new test program with an older
Libksba.
Duplicate of T1467
See the other bug. Will be fixed with the next release.
Jan 31 2014
This happens because AM_PATH_GPG_ERROR uses AC_ARG_WITH
in a bad way. First it parses the official name, which
is --with-libgpg-error-prefix. But then it tries to implement
a fallback to the old undocumented option name
--with-gpg-error-prefix. Unfortunately, that fallback
unconditionally overwrites the result of the first
AC_ARG_WITH.
The enclosed patch fixes this issue.
This patch needs to be installed in both the libksba
and the gnupg repositories.
The same issue was however fixed in the libassuan repo
in 97ce28a430129ce997783c6196ccfe737f5b3007. Applying
that solution in the libksba and gnupg repos would work
just as fine as my patch (and reduce the proliferation
of differing versions).
I think T1526 is a duplicate of this bug.
I think T1561 is the same bug, but in the gnupg
repository.
Dec 10 2013
Fixed with commit ab3fe5d.
The grammar is quite old and should anyway adjusted to modern standard. There
is a separately mainatained toke table which does not make much sense, given
that that it is possible to re-use the bison generated token table. I see what
I can do.