Compare commits

...

10 Commits

Author SHA1 Message Date
Jakub Jelen
5bafea1a1b 1.5.1-6 2023-05-18 14:32:30 +00:00
Jakub Jelen
b90395dc15 Fix CVE-2022-47629
Resolves: rhbz#2161583
2023-01-26 11:30:01 +01:00
Jakub Jelen
5da7eeef07 libksba-1.5.1-5
Related: rhbz#2135703
2022-10-19 12:57:09 +02:00
Jakub Jelen
ca1a4dbee9 Detect a possible overflow directly in the TLV parser.
Resolves: rhbz#2135703
2022-10-19 12:56:50 +02:00
Mohan Boddu
316b8a9b80 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 21:29:38 +00:00
Aleksandra Fedorova
7ee0c05d6e Add RHEL gating configuration 2021-07-15 03:14:21 +02:00
Mohan Boddu
1506b120e2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-16 01:21:06 +00:00
Jakub Jelen
d5b25c5623 Rebase to 1.5.1 and address coverity issues
Resolves: rhbz#1938772
2021-04-15 11:52:17 +02:00
DistroBaker
899b52c8ca Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libksba.git#23244db9c9cdd47bd36be8522b1baf81042ee44f
2021-02-04 09:59:53 +01:00
DistroBaker
a6c10dbe04 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libksba.git#0b5743078b11bf0ac7d11287fe62fb4c5b82b1d4
2020-12-01 17:17:06 +00:00
7 changed files with 312 additions and 9 deletions

4
.gitignore vendored
View File

@ -16,3 +16,7 @@ libksba-1.0.8.tar.bz2.sig
/libksba-1.3.5.tar.bz2.sig
/libksba-1.4.0.tar.bz2
/libksba-1.4.0.tar.bz2.sig
/libksba-1.5.0.tar.bz2
/libksba-1.5.0.tar.bz2.sig
/libksba-1.5.1.tar.bz2
/libksba-1.5.1.tar.bz2.sig

2
.libksba.metadata Normal file
View File

@ -0,0 +1,2 @@
740ac2551b33110e879aff100c6a6749284daf97 libksba-1.5.1.tar.bz2
c04e66bd480ff66f811d8e71c06ae5f1421418c0 libksba-1.5.1.tar.bz2.sig

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

View File

@ -0,0 +1,157 @@
From f47ac49c068f1bc640f391b8b4a9594486ed0bb7 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 22:33:17 +0200
Subject: [PATCH 1/5] tests: reset freed pointer for next iteration
* tests/t-oid.c (main): reset freed pointer for next iteration
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tests/t-oid.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/t-oid.c b/tests/t-oid.c
index 0fe5944..04156b6 100644
--- a/tests/t-oid.c
+++ b/tests/t-oid.c
@@ -183,6 +183,7 @@ main (int argc, char **argv)
printf (" %02X", buffer[n]);
putchar ('\n');
free (buffer);
+ buffer = NULL;
}
}
else if (!strcmp (*argv, "--to-str"))
--
2.30.2
From 8c410c22a0366b4ce43d37b62598d8429c3ffc30 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 22:36:56 +0200
Subject: [PATCH 2/5] time: avoid buffer overrun
* src/time.c (_ksba_current_time): Use snprintf to avoid buffer overrun
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/time.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/time.c b/src/time.c
index d793476..f5f3a03 100644
--- a/src/time.c
+++ b/src/time.c
@@ -160,7 +160,7 @@ _ksba_current_time (ksba_isotime_t timebuf)
#else
tp = gmtime ( &epoch );
#endif
- sprintf (timebuf,"%04d%02d%02dT%02d%02d%02d",
- 1900 + tp->tm_year, tp->tm_mon+1, tp->tm_mday,
- tp->tm_hour, tp->tm_min, tp->tm_sec);
+ snprintf (timebuf, sizeof(ksba_isotime_t), "%04d%02d%02dT%02d%02d%02d",
+ 1900 + tp->tm_year, tp->tm_mon+1, tp->tm_mday,
+ tp->tm_hour, tp->tm_min, tp->tm_sec);
}
--
2.30.2
From b8581032f492b4c17d20e966f11afd591ca177ef Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 22:44:43 +0200
Subject: [PATCH 3/5] asn1-func: Initialize buffer
* src/asn1-func.c (_ksba_asn_expand_object_id): Initialize name2 buffer
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/asn1-func.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/asn1-func.c b/src/asn1-func.c
index e64c479..05ec897 100755
--- a/src/asn1-func.c
+++ b/src/asn1-func.c
@@ -882,7 +882,7 @@ int
_ksba_asn_expand_object_id (AsnNode node)
{
AsnNode p, p2, p3, p4, p5;
- char name_root[129], name2[129*2+1];
+ char name_root[129], name2[129*2+1] = "";
/* Fixme: Make a cleaner implementation */
if (!node)
--
2.30.2
From ff510b0511443c181b9b9af87bd2596b6a5751fc Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 Apr 2021 10:28:10 +0200
Subject: [PATCH 4/5] ber-decoder: Avoid null pointer dereference on error
* src/ber-decoder.c (_ksba_ber_decoder_dump): break on error
--
The above branches set err if stuff go wrong, but it is never checked
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/ber-decoder.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/ber-decoder.c b/src/ber-decoder.c
index 755c1d7..87e58a9 100644
--- a/src/ber-decoder.c
+++ b/src/ber-decoder.c
@@ -1149,6 +1149,8 @@ _ksba_ber_decoder_dump (BerDecoder d, FILE *fp)
err = gpg_error_from_syserror ();
}
}
+ if (err)
+ break;
for (n=0; !err && n < d->val.length; n++)
{
--
2.30.2
From 0431c56f4e1b6d6c3ff302648730da36a18ae93c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 Apr 2021 10:30:59 +0200
Subject: [PATCH 5/5] Mark the idential branches as intentional for coverity
* src/ber-help.c (_ksba_ber_count_tl): Mark identical branches as
intentional for coverity
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
src/ber-help.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/ber-help.c b/src/ber-help.c
index 1b72bf0..81c31ed 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -440,6 +440,7 @@ _ksba_ber_count_tl (unsigned long tag,
(void)constructed; /* Not used, but passed for uniformity of such calls. */
+ /* coverity[identical_branches] */
if (tag < 0x1f)
{
buflen++;
--
2.30.2

View File

@ -0,0 +1,104 @@
From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 5 Oct 2022 14:19:06 +0200
Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
used sum.
--
It is quite common to have checks like
if (ti.nhdr + ti.length >= DIM(tmpbuf))
return gpg_error (GPG_ERR_TOO_LARGE);
This patch detects possible integer overflows immmediately when
creating the TI object.
Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
---
src/ber-help.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/ber-help.c b/src/ber-help.c
index 81c31ed..56efb6a 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
ti->length = len;
}
+ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+ {
+ ti->err_string = "header+length would overflow";
+ return gpg_error (GPG_ERR_EOVERFLOW);
+ }
+
/* Without this kludge some example certs can't be parsed */
if (ti->class == CLASS_UNIVERSAL && !ti->tag)
ti->length = 0;
--
2.37.3
commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070
Author: Werner Koch <wk@gnupg.org>
Date: Tue Nov 22 16:36:46 2022 +0100
Fix an integer overflow in the CRL signature parser.
* src/crl.c (parse_signature): N+N2 now checked for overflow.
* src/ocsp.c (parse_response_extensions): Do not accept too large
values.
(parse_single_extensions): Ditto.
--
The second patch is an extra safegourd not related to the reported
bug.
GnuPG-bug-id: 6284
Reported-by: Joseph Surin, elttam
diff --git a/src/crl.c b/src/crl.c
index 9f71c85..2e6ca29 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl)
&& !ti.is_constructed) )
return gpg_error (GPG_ERR_INV_CRL_OBJ);
n2 = ti.nhdr + ti.length;
- if (n + n2 >= DIM(tmpbuf))
+ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n)
return gpg_error (GPG_ERR_TOO_LARGE);
memcpy (tmpbuf+n, ti.buf, ti.nhdr);
err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length);
diff --git a/src/ocsp.c b/src/ocsp.c
index d4cba04..657d15f 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp,
else
ocsp->good_nonce = 1;
}
+ if (ti.length > (1<<24))
+ {
+ /* Bail out on much too large objects. */
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
if (!ex)
{
@@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri,
err = parse_octet_string (&data, &datalen, &ti);
if (err)
goto leave;
+ if (ti.length > (1<<24))
+ {
+ /* Bail out on much too large objects. */
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
if (!ex)
{

View File

@ -1,21 +1,25 @@
Summary: CMS and X.509 library
Name: libksba
Version: 1.4.0
Release: 1%{?dist}
Version: 1.5.1
Release: 6%{?dist}
# The library is licensed under LGPLv3+ or GPLv2+,
# the rest of the package under GPLv3+
License: (LGPLv3+ or GPLv2+) and GPLv3+
URL: http://www.gnupg.org/
Source0: ftp://ftp.gnupg.org/gcrypt/libksba/libksba-%{version}.tar.bz2
Source1: ftp://ftp.gnupg.org/gcrypt/libksba/libksba-%{version}.tar.bz2.sig
URL: https://www.gnupg.org/
Source0: https://www.gnupg.org/ftp/gcrypt/libksba/libksba-%{version}.tar.bz2
Source1: https://www.gnupg.org/ftp/gcrypt/libksba/libksba-%{version}.tar.bz2.sig
Patch1: libksba-1.3.0-multilib.patch
Patch2: libksba-1.5.1-coverity.patch
# Fix for CVE-2022-3515
Patch3: libksba-1.5.1-overflow.patch
BuildRequires: gcc
BuildRequires: gawk
BuildRequires: libgpg-error-devel >= 1.8
BuildRequires: libgcrypt-devel >= 1.2.0
BuildRequires: make
%description
KSBA (pronounced Kasbah) is a library to make X.509 certificates as
@ -35,6 +39,8 @@ Requires: pkgconfig
%setup -q
%patch1 -p1 -b .multilib
%patch2 -p1 -b .coverity
%patch3 -p1 -b .overflow
# Convert to utf-8
for file in THANKS; do
@ -52,8 +58,6 @@ done
%install
rm -rf $RPM_BUILD_ROOT
%make_install
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
@ -81,6 +85,31 @@ make check
%changelog
* Wed Jan 25 2023 Jakub Jelen <jjelen@redhat.com> - 1.5.1-6
- Fix for CVE-2022-47629 (#2161571)
* Wed Oct 19 2022 Jakub Jelen <jjelen@redhat.com> - 1.5.1-5
- Fix for CVE-2022-3515 (#2135703)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.1-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.1-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Apr 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.5.1-2
- Address issues reported by coverity
* Wed Apr 07 2021 Jakub Jelen <jjelen@redhat.com> - 1.5.1-1
- New upstream release (#1946544)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 1.5.0-1
- New upstream release (#1899183)
* Tue Oct 6 2020 Tomas Mraz <tmraz@redhat.com> - 1.4.0-1
- New upstream version 1.4.0

View File

@ -1,2 +1,2 @@
SHA512 (libksba-1.4.0.tar.bz2) = 7c1666017ebfa50b5663153dead1e019e0ee342c4f44ee8f644fc749e82dcc983237ef0f557de9de3f7908dc90405d967a4db2e36e04fe0d5a09edf49f8a0c8d
SHA512 (libksba-1.4.0.tar.bz2.sig) = 70517d35e151cfb1dbd4c56326cac5c6b67690fd379f9f0b54e22ccf40dcd116f7e90f63e8334ad499e6c1c915b844d63bae423684ea69cab6d044e753f40bbf
SHA512 (libksba-1.5.1.tar.bz2) = 156fe6a36daa7b11ce580366ab36a5fceda253413f0057ace791e4f028fd3158a70a3f6ba1d0c824fafee4420d1076864dbd0911606fb65e14c8b2332b6cc92b
SHA512 (libksba-1.5.1.tar.bz2.sig) = 65ae19253a2f4567d58d76122bd7aac94e2dfe86b34c09feb69b1c4b3b14b53bc061a9afa9f3dd6a7494a46106292be8107ffc74436ec569efdb0746d685ac16