An integer underflow flaw, leading to a heap-based buffer overflow, was found in the ksba_oid_to_str() function of the libksba library, used by various GnuPG utilities. Specially-crafted S/MIME messages or ECC-based OpenPGP data could cause an application using libksba to crash or, potentially, execute arbitrary code.
Created libksba tracking bugs for this issue:
Affects: fedora-all [bug 1168052]
This issue has been addressed in upstream version 1.3.2.
MITRE assigned CVE-2014-9087 to this issue:
libksba-1.3.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
libksba-1.3.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
libksba-1.3.2-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
libksba is library used to create X.509 Certificates, version of libksba as shipped in RHEL is affected by this flaw. Following is the problematic code in function
ksba_oid_to_str (const char *buffer, size_t length)
char *string, *p;
unsigned long val, valmask; // val is unsigned long
/* so just before next line if value of 'val is less than 80, it would subtract val - 80, resulting in very large value which would not fit in the buffer used in
sprintf function causing crash. */
val -= 80;
sprintf (p, "2.%lu", val);
There is no evidence of this being exploited in wild.