Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
No build reason found for SLES:x86_64
SUSE:SLE-12:Update
libksba.26430
0005-Fix-possible-read-access-beyond-the-buffer...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0005-Fix-possible-read-access-beyond-the-buffer.patch of Package libksba.26430
From a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64 Mon Sep 17 00:00:00 2001 From: Werner Koch <wk@gnupg.org> Date: Tue, 3 May 2016 14:10:04 +0200 Subject: [PATCH 3/9] Fix possible read access beyond the buffer. * src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check. * src/cert.c (ksba_cert_get_cert_policies): Check TLV given length against buffer length. (ksba_cert_get_ext_key_usages): Ditto. * src/ocsp.c (parse_asntime_into_isotime): Ditto. -- The returned length of the object from _ksba_ber_parse_tl (ti.length) was not always checked against the actual buffer length, thus leading to a read access after the end of the buffer and thus a segv. GnuPG-bug-id: 2344 Reported-by: Pascal Cuoq Signed-off-by: Werner Koch <wk@gnupg.org> --- src/ber-help.c | 6 ++++++ src/cert.c | 23 ++++++++++++++++++++++- src/name.c | 2 +- src/ocsp.c | 2 ++ 4 files changed, 31 insertions(+), 2 deletions(-) Index: libksba-1.3.0/src/ber-help.c =================================================================== --- libksba-1.3.0.orig/src/ber-help.c +++ libksba-1.3.0/src/ber-help.c @@ -285,9 +285,15 @@ _ksba_ber_parse_tl (unsigned char const ti->buf[ti->nhdr++] = c; len |= c & 0xff; } + /* Sanity check for the length: This is done so that we can take + * the value for malloc plus some additional bytes without + * risking an overflow. */ + if (len > (1 << 30)) + return gpg_error (GPG_ERR_BAD_BER); ti->length = len; } + /* Without this kludge some example certs can't be parsed */ if (ti->class == CLASS_UNIVERSAL && !ti->tag) ti->length = 0; Index: libksba-1.3.0/src/cert.c =================================================================== --- libksba-1.3.0.orig/src/cert.c +++ libksba-1.3.0/src/cert.c @@ -1337,9 +1337,15 @@ ksba_cert_get_cert_policies (ksba_cert_t err = gpg_error (GPG_ERR_NOT_DER_ENCODED); goto leave; } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } if (!ti.length) { - err = gpg_error (GPG_ERR_INV_CERT_OBJ); /* no empty inner SEQ */ + /* We do not accept an empty inner SEQ */ + err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } if (ti.nhdr+ti.length > seqlen) @@ -1358,6 +1364,11 @@ ksba_cert_get_cert_policies (ksba_cert_t err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } if (ti.nhdr+ti.length > seqseqlen) { err = gpg_error (GPG_ERR_BAD_BER); @@ -1460,6 +1471,16 @@ ksba_cert_get_ext_key_usages (ksba_cert_ err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } + if (ti.ndef) + { + err = gpg_error (GPG_ERR_NOT_DER_ENCODED); + goto leave; + } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } suboid = ksba_oid_to_str (der, ti.length); if (!suboid) Index: libksba-1.3.0/src/name.c =================================================================== --- libksba-1.3.0.orig/src/name.c +++ libksba-1.3.0/src/name.c @@ -113,7 +113,7 @@ _ksba_name_new_from_der (ksba_name_t *r_ *r_name = NULL; - /* count and check for encoding errors - we won;t do this again + /* Count and check for encoding errors - we won't do this again during the second pass */ der = image; derlen = imagelen; Index: libksba-1.3.0/src/ocsp.c =================================================================== --- libksba-1.3.0.orig/src/ocsp.c +++ libksba-1.3.0/src/ocsp.c @@ -231,6 +231,8 @@ parse_asntime_into_isotime (unsigned cha && (ti.tag == TYPE_UTC_TIME || ti.tag == TYPE_GENERALIZED_TIME) && !ti.is_constructed) ) err = gpg_error (GPG_ERR_INV_OBJ); + else if (ti.length > *len) + err = gpg_error (GPG_ERR_INV_BER); else if (!(err = _ksba_asntime_to_iso (*buf, ti.length, ti.tag == TYPE_UTC_TIME, isotime))) parse_skip (buf, len, &ti);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor