Bug 1168051 (CVE-2014-9087)

Summary: CVE-2014-9087 libksba: integer underflow flaw leading to a heap-based buffer overflow in ksba_oid_to_str()
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, rdieter, sisharma, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libksba 1.3.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-09 12:05:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1168052    
Bug Blocks: 1168053    

Description Murray McAllister 2014-11-26 00:44:31 UTC 
An integer underflow flaw, leading to a heap-based buffer overflow, was found in the ksba_oid_to_str() function of the libksba library, used by various GnuPG utilities. Specially-crafted S/MIME messages or ECC-based OpenPGP data could cause an application using libksba to crash or, potentially, execute arbitrary code.

Upstream patch:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7

References:
http://seclists.org/oss-sec/2014/q4/788
http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
Comment 1 Murray McAllister 2014-11-26 00:45:15 UTC 
Created libksba tracking bugs for this issue:

Affects: fedora-all [bug 1168052]
Comment 3 Murray McAllister 2014-11-26 00:52:09 UTC 
This issue has been addressed in upstream version 1.3.2.
Comment 4 Martin Prpič 2014-11-26 10:11:15 UTC 
MITRE assigned CVE-2014-9087 to this issue:

http://seclists.org/oss-sec/2014/q4/801
Comment 5 Fedora Update System 2014-12-06 02:34:06 UTC 
libksba-1.3.2-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-12-06 10:32:37 UTC 
libksba-1.3.2-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-07 04:38:47 UTC 
libksba-1.3.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Siddharth Sharma 2015-10-09 11:17:59 UTC 
Analysis:

libksba is library used to create X.509 Certificates, version of libksba as shipped in RHEL is affected by this flaw. Following is the problematic code in function

char *
ksba_oid_to_str (const char *buffer, size_t length)
{
 char *string, *p;

 unsigned long val, valmask;  // val is unsigned long

 ...

/* so just before next line if value of 'val is less than 80, it would subtract val - 80, resulting in very large value which would not fit in the buffer used in 
sprintf function causing crash. */

     val -= 80;
     sprintf (p, "2.%lu", val);


There is no evidence of this being exploited in wild.