From f2c764070d05bdde81531f05df91f66d37d46df9 Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Thu, 22 Dec 2022 11:43:25 +0800 Subject: [PATCH] fix CVE-2022-47629 Signed-off-by: yixiangzhike --- ...overflow-in-the-CRL-signature-parser.patch | 68 +++++++++++++++++++ libksba.spec | 9 ++- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-47629-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch diff --git a/backport-CVE-2022-47629-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch b/backport-CVE-2022-47629-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch new file mode 100644 index 0000000..6292189 --- /dev/null +++ b/backport-CVE-2022-47629-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch @@ -0,0 +1,68 @@ +From f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Tue, 22 Nov 2022 16:36:46 +0100 +Subject: [PATCH] Fix an integer overflow in the CRL signature parser. + +* src/crl.c (parse_signature): N+N2 now checked for overflow. + +* src/ocsp.c (parse_response_extensions): Do not accept too large +values. +(parse_single_extensions): Ditto. +-- + +The second patch is an extra safegourd not related to the reported +bug. + +GnuPG-bug-id: 6284 +Reported-by: Joseph Surin, elttam +--- + src/crl.c | 2 +- + src/ocsp.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/crl.c b/src/crl.c +index 9f71c85..2e6ca29 100644 +--- a/src/crl.c ++++ b/src/crl.c +@@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl) + && !ti.is_constructed) ) + return gpg_error (GPG_ERR_INV_CRL_OBJ); + n2 = ti.nhdr + ti.length; +- if (n + n2 >= DIM(tmpbuf)) ++ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf+n, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); +diff --git a/src/ocsp.c b/src/ocsp.c +index d4cba04..657d15f 100644 +--- a/src/ocsp.c ++++ b/src/ocsp.c +@@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp, + else + ocsp->good_nonce = 1; + } ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +@@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri, + err = parse_octet_string (&data, &datalen, &ti); + if (err) + goto leave; ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +-- +2.27.0 + diff --git a/libksba.spec b/libksba.spec index 46ff796..2f0cc30 100644 --- a/libksba.spec +++ b/libksba.spec @@ -1,6 +1,6 @@ Name: libksba Version: 1.4.0 -Release: 3 +Release: 4 Summary: A library for X.509 and CMS License: (LGPL-3.0+ or GPL-2.0+) and GPL-3.0+ and MIT URL: https://www.gnupg.org/software/libksba/index.html @@ -8,6 +8,7 @@ Source0: ftp://ftp.gnupg.org/gcrypt/libksba/libksba-%{version}.tar.bz2 Source1: ftp://ftp.gnupg.org/gcrypt/libksba/libksba-%{version}.tar.bz2.sig Patch1: backport-CVE-2022-3515-Detect-a-possible-overflow-directly-in-the-TLV-parse.patch +Patch2: backport-CVE-2022-47629-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch BuildRequires: gcc gawk libgpg-error-devel >= 1.8 libgcrypt-devel >= 1.2.0 @@ -68,6 +69,12 @@ make check %{_datadir}/info/ksba.info.gz %changelog +* Thu Dec 22 2022 yixiangzhike - 1.4.0-4 +- Type:cve +- ID:CVE-2022-47629 +- SUG:NA +- DESC:fix CVE-2022-47629 + * Wed Oct 19 2022 yixiangzhike - 1.4.0-3 - Type:cve - ID:CVE-2022-3515 -- Gitee