diff --git a/libksba-1.5.1-overflow.patch b/libksba-1.5.1-overflow.patch index d4206de..c37f135 100644 --- a/libksba-1.5.1-overflow.patch +++ b/libksba-1.5.1-overflow.patch @@ -40,3 +40,65 @@ index 81c31ed..56efb6a 100644 -- 2.37.3 +commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 +Author: Werner Koch +Date: Tue Nov 22 16:36:46 2022 +0100 + + Fix an integer overflow in the CRL signature parser. + + * src/crl.c (parse_signature): N+N2 now checked for overflow. + + * src/ocsp.c (parse_response_extensions): Do not accept too large + values. + (parse_single_extensions): Ditto. + -- + + The second patch is an extra safegourd not related to the reported + bug. + + GnuPG-bug-id: 6284 + Reported-by: Joseph Surin, elttam + +diff --git a/src/crl.c b/src/crl.c +index 9f71c85..2e6ca29 100644 +--- a/src/crl.c ++++ b/src/crl.c +@@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl) + && !ti.is_constructed) ) + return gpg_error (GPG_ERR_INV_CRL_OBJ); + n2 = ti.nhdr + ti.length; +- if (n + n2 >= DIM(tmpbuf)) ++ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf+n, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); +diff --git a/src/ocsp.c b/src/ocsp.c +index d4cba04..657d15f 100644 +--- a/src/ocsp.c ++++ b/src/ocsp.c +@@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp, + else + ocsp->good_nonce = 1; + } ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +@@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri, + err = parse_octet_string (&data, &datalen, &ti); + if (err) + goto leave; ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + {