Bug 1168051 (CVE-2014-9087) - CVE-2014-9087 libksba: integer underflow flaw leading to a heap-based buffer overflow in ksba_oid_to_str()
Summary: CVE-2014-9087 libksba: integer underflow flaw leading to a heap-based buffer ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-9087
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1168052
Blocks: 1168053
TreeView+ depends on / blocked
 
Reported: 2014-11-26 00:44 UTC by Murray McAllister
Modified: 2019-09-29 13:24 UTC (History)
4 users (show)

Fixed In Version: libksba 1.3.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-09 12:05:31 UTC


Attachments (Terms of Use)

Description Murray McAllister 2014-11-26 00:44:31 UTC
An integer underflow flaw, leading to a heap-based buffer overflow, was found in the ksba_oid_to_str() function of the libksba library, used by various GnuPG utilities. Specially-crafted S/MIME messages or ECC-based OpenPGP data could cause an application using libksba to crash or, potentially, execute arbitrary code.

Upstream patch:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7

References:
http://seclists.org/oss-sec/2014/q4/788
http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html

Comment 1 Murray McAllister 2014-11-26 00:45:15 UTC
Created libksba tracking bugs for this issue:

Affects: fedora-all [bug 1168052]

Comment 3 Murray McAllister 2014-11-26 00:52:09 UTC
This issue has been addressed in upstream version 1.3.2.

Comment 4 Martin Prpič 2014-11-26 10:11:15 UTC
MITRE assigned CVE-2014-9087 to this issue:

http://seclists.org/oss-sec/2014/q4/801

Comment 5 Fedora Update System 2014-12-06 02:34:06 UTC
libksba-1.3.2-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-12-06 10:32:37 UTC
libksba-1.3.2-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-12-07 04:38:47 UTC
libksba-1.3.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Siddharth Sharma 2015-10-09 11:17:59 UTC
Analysis:

libksba is library used to create X.509 Certificates, version of libksba as shipped in RHEL is affected by this flaw. Following is the problematic code in function

char *
ksba_oid_to_str (const char *buffer, size_t length)
{
 char *string, *p;

 unsigned long val, valmask;  // val is unsigned long

 ...

/* so just before next line if value of 'val is less than 80, it would subtract val - 80, resulting in very large value which would not fit in the buffer used in 
sprintf function causing crash. */

     val -= 80;
     sprintf (p, "2.%lu", val);


There is no evidence of this being exploited in wild.


Note You need to log in before you can comment on or make changes to this bug.