libksba: fix CVE-2022-3515

(From OE-Core rev: 16d8176218230007dac98cd0d941da03a354e90c) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2023-03-20 17:51:19 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-25 23:00:59 +0000
commit: 7b2e3ff618fe2056e14b22ceae2969fbad092f73 (patch)
tree: aefaae299169dac24a42e8a74f3201c38bca7e21
parent: 1351d0261ba799dc6257dbc3bf52a5d2069a5336 (diff)
download: poky-7b2e3ff618fe2056e14b22ceae2969fbad092f73.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
new file mode 100644
index 0000000000..ff9f2f9275
--- /dev/null
+++ b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
@@ -0,0 +1,47 @@
+From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 5 Oct 2022 14:19:06 +0200
+Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
+* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+used sum.
+--
+It is quite common to have checks like
+    if (ti.nhdr + ti.length >= DIM(tmpbuf))
+       return gpg_error (GPG_ERR_TOO_LARGE);
+This patch detects possible integer overflows immmediately when
+creating the TI object.
+Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=patch;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
+CVE: CVE-2022-3515 
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ src/ber-help.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/ber-help.c b/src/ber-help.c
+index 81c31ed..56efb6a 100644
+--- a/src/ber-help.c
+++ b/src/ber-help.c
+@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
+       ti->length = len;
+     }
+ 
+  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+    {
+      ti->err_string = "header+length would overflow";
+      return gpg_error (GPG_ERR_EOVERFLOW);
+    }
+
+   /* Without this kludge some example certs can't be parsed */
+   if (ti->class == CLASS_UNIVERSAL && !ti->tag)
+     ti->length = 0;
+-- 
+2.11.0
diff --git a/meta/recipes-support/libksba/libksba_1.3.5.bb b/meta/recipes-support/libksba/libksba_1.3.5.bb
index 841830efa8..5293aa91e1 100644
--- a/meta/recipes-support/libksba/libksba_1.3.5.bb
+++ b/meta/recipes-support/libksba/libksba_1.3.5.bb
@@ -24,6 +24,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://ksba-add-pkgconfig-support.patch \
           file://CVE-2022-47629.patch \
+           file://CVE-2022-3515.patch \
 "
 SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2"
author	Chee Yang Lee <chee.yang.lee@intel.com>	2023-03-20 17:51:19 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-25 23:00:59 +0000
commit	7b2e3ff618fe2056e14b22ceae2969fbad092f73 (patch)
tree	aefaae299169dac24a42e8a74f3201c38bca7e21
parent	1351d0261ba799dc6257dbc3bf52a5d2069a5336 (diff)
download	poky-7b2e3ff618fe2056e14b22ceae2969fbad092f73.tar.gz

diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch new file mode 100644 index 0000000000..ff9f2f9275 --- /dev/null +++ b/meta/recipes-support/libksba/libksba/CVE-2022-3515.patch
@@ -0,0 +1,47 @@
		1	From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001
		2	From: Werner Koch <wk@gnupg.org>
		3	Date: Wed, 5 Oct 2022 14:19:06 +0200
		4	Subject: [PATCH] Detect a possible overflow directly in the TLV parser.
		5
		6	* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
		7	used sum.
		8	--
		9
		10	It is quite common to have checks like
		11
		12	if (ti.nhdr + ti.length >= DIM(tmpbuf))
		13	return gpg_error (GPG_ERR_TOO_LARGE);
		14
		15	This patch detects possible integer overflows immmediately when
		16	creating the TI object.
		17
		18	Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929
		19
		20
		21	Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=patch;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b]
		22	CVE: CVE-2022-3515
		23	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		24	---
		25	src/ber-help.c \| 6 ++++++
		26	1 file changed, 6 insertions(+)
		27
		28	diff --git a/src/ber-help.c b/src/ber-help.c
		29	index 81c31ed..56efb6a 100644
		30	--- a/src/ber-help.c
		31	+++ b/src/ber-help.c
		32	@@ -182,6 +182,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti)
		33	ti->length = len;
		34	}
		35
		36	+ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
		37	+ {
		38	+ ti->err_string = "header+length would overflow";
		39	+ return gpg_error (GPG_ERR_EOVERFLOW);
		40	+ }
		41	+
		42	/* Without this kludge some example certs can't be parsed */
		43	if (ti->class == CLASS_UNIVERSAL && !ti->tag)
		44	ti->length = 0;
		45	--
		46	2.11.0
		47


diff --git a/meta/recipes-support/libksba/libksba_1.3.5.bb b/meta/recipes-support/libksba/libksba_1.3.5.bb index 841830efa8..5293aa91e1 100644 --- a/meta/recipes-support/libksba/libksba_1.3.5.bb +++ b/meta/recipes-support/libksba/libksba_1.3.5.bb
@@ -24,6 +24,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
24	SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \	24	SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
25	file://ksba-add-pkgconfig-support.patch \	25	file://ksba-add-pkgconfig-support.patch \
26	file://CVE-2022-47629.patch \	26	file://CVE-2022-47629.patch \
		27	file://CVE-2022-3515.patch \
27	"	28	"
28		29
29	SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2"	30	SRC_URI[md5sum] = "8302a3e263a7c630aa7dea7d341f07a2"