diff options
Diffstat (limited to 'meta/recipes-support/libksba/libksba/CVE-2022-47629.patch')
-rw-r--r-- | meta/recipes-support/libksba/libksba/CVE-2022-47629.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch new file mode 100644 index 0000000000..b09d0eb557 --- /dev/null +++ b/meta/recipes-support/libksba/libksba/CVE-2022-47629.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From b17444b3c47e32c77a3ba5335ae30ccbadcba3cf Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Koch <wk@gnupg.org> | ||
3 | Date: Tue, 22 Nov 2022 16:36:46 +0100 | ||
4 | Subject: [PATCH] Fix an integer overflow in the CRL signature parser. | ||
5 | |||
6 | * src/crl.c (parse_signature): N+N2 now checked for overflow. | ||
7 | |||
8 | * src/ocsp.c (parse_response_extensions): Do not accept too large | ||
9 | values. | ||
10 | (parse_single_extensions): Ditto. | ||
11 | -- | ||
12 | |||
13 | The second patch is an extra safegourd not related to the reported | ||
14 | bug. | ||
15 | |||
16 | GnuPG-bug-id: 6284 | ||
17 | Reported-by: Joseph Surin, elttam | ||
18 | CVE: CVE-2022-47629 | ||
19 | https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 | ||
20 | Upstream-Status: Backport | ||
21 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
22 | --- | ||
23 | src/crl.c | 2 +- | ||
24 | src/ocsp.c | 12 ++++++++++++ | ||
25 | 2 files changed, 13 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/src/crl.c b/src/crl.c | ||
28 | index 87a3fa3..9d3028e 100644 | ||
29 | --- a/src/crl.c | ||
30 | +++ b/src/crl.c | ||
31 | @@ -1434,7 +1434,7 @@ parse_signature (ksba_crl_t crl) | ||
32 | && !ti.is_constructed) ) | ||
33 | return gpg_error (GPG_ERR_INV_CRL_OBJ); | ||
34 | n2 = ti.nhdr + ti.length; | ||
35 | - if (n + n2 >= DIM(tmpbuf)) | ||
36 | + if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) | ||
37 | return gpg_error (GPG_ERR_TOO_LARGE); | ||
38 | memcpy (tmpbuf+n, ti.buf, ti.nhdr); | ||
39 | err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); | ||
40 | diff --git a/src/ocsp.c b/src/ocsp.c | ||
41 | index 4b26f8d..c41234e 100644 | ||
42 | --- a/src/ocsp.c | ||
43 | +++ b/src/ocsp.c | ||
44 | @@ -912,6 +912,12 @@ parse_response_extensions (ksba_ocsp_t ocsp, | ||
45 | else | ||
46 | ocsp->good_nonce = 1; | ||
47 | } | ||
48 | + if (ti.length > (1<<24)) | ||
49 | + { | ||
50 | + /* Bail out on much too large objects. */ | ||
51 | + err = gpg_error (GPG_ERR_BAD_BER); | ||
52 | + goto leave; | ||
53 | + } | ||
54 | ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); | ||
55 | if (!ex) | ||
56 | { | ||
57 | @@ -979,6 +985,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri, | ||
58 | err = parse_octet_string (&data, &datalen, &ti); | ||
59 | if (err) | ||
60 | goto leave; | ||
61 | + if (ti.length > (1<<24)) | ||
62 | + { | ||
63 | + /* Bail out on much too large objects. */ | ||
64 | + err = gpg_error (GPG_ERR_BAD_BER); | ||
65 | + goto leave; | ||
66 | + } | ||
67 | ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); | ||
68 | if (!ex) | ||
69 | { | ||