Headline
CVE-2016-4574: security - Re: Re: CVE request: three issues in libksba
Off-by-one error in the append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-4356.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 May 2016 14:09:11 +0200 From: Andreas Stieger <astieger@…e.com> To: oss-security@…ts.openwall.com, mprpic@…hat.com Cc: cve-assign@…re.org Subject: Re: Re: CVE request: three issues in libksba
Hello,
On 04/29/2016 06:13 PM, cve-assign@…re.org wrote:
Integer overflow in the DN decoder src/dn.c
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3
This might be an error in the original https://security.gentoo.org/glsa/201604-04 advisory. We did not notice any obvious relationship between 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 and an integer overflow fix. The 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 commit message seems to focus on “read access out of bounds.” Also, there is no other recent commit at http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=history;f=src/dn.c that refers to an integer overflow. Possibly there was an inapplicable copy-and-paste of “Integer overflow in the” from the previous report about the BER decoder.
Use CVE-2016-4356 for the 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 issue that is described as “Fix encoding of invalid utf-8 strings in dn.c” and “read access out of bounds.”
There is a follow-up fix in libksba 1.3.4 for this issue: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=6be61daac047d8e6aa941eb103f8e71a1d4e3c75
Fix an OOB read access in _ksba_dn_to_str.
* src/dn.c (append_utf8_value): Use a straightforward check to fix an off-by-one. –
The old fix for the problem from April 2015 had an off-by-one in the bad encoding handing.
Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=object;h=243d12fdec66a4360fbb3e307a046b39b5b4ffc3\ GnuPG-bug-id: 2344 Reported-by: Pascal Cuoq Signed-off-by: Werner Koch <wk@…pg.org>
Andreas
– Andreas Stieger <astieger@…e.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via unspecified vectors, related to the "returned length of the object from _ksba_ber_parse_tl."