Red Hat Bugzilla – Bug 1168051
CVE-2014-9087 libksba: integer underflow flaw leading to a heap-based buffer overflow in ksba_oid_to_str()
Last modified: 2015-10-09 08:05:31 EDT
An integer underflow flaw, leading to a heap-based buffer overflow, was found in the ksba_oid_to_str() function of the libksba library, used by various GnuPG utilities. Specially-crafted S/MIME messages or ECC-based OpenPGP data could cause an application using libksba to crash or, potentially, execute arbitrary code. Upstream patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=f715b9e156dfa99ae829fc694e5a0abd23ef97d7 References: http://seclists.org/oss-sec/2014/q4/788 http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html
Created libksba tracking bugs for this issue: Affects: fedora-all [bug 1168052]
This issue has been addressed in upstream version 1.3.2.
MITRE assigned CVE-2014-9087 to this issue: http://seclists.org/oss-sec/2014/q4/801
libksba-1.3.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
libksba-1.3.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libksba-1.3.2-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Analysis: libksba is library used to create X.509 Certificates, version of libksba as shipped in RHEL is affected by this flaw. Following is the problematic code in function char * ksba_oid_to_str (const char *buffer, size_t length) { char *string, *p; unsigned long val, valmask; // val is unsigned long ... /* so just before next line if value of 'val is less than 80, it would subtract val - 80, resulting in very large value which would not fit in the buffer used in sprintf function causing crash. */ val -= 80; sprintf (p, "2.%lu", val); There is no evidence of this being exploited in wild.