Version 1.3.3 of libksba fxes an integer overflow in the BER decoder: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887
Created libksba tracking bugs for this issue: Affects: fedora-all [bug 1211263]
Statement: Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in libksba.
CVE assignments: http://seclists.org/oss-sec/2016/q2/172 Descriptions: Use CVE-2016-4354 for the use of an incorrect integer data type. Use CVE-2016-4355 for the cases in which the code was simply making no attempt to check for an integer overflow (the "+ 100" cases and the "+= d->val.length" case).
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-4354 https://access.redhat.com/security/cve/cve-2016-4355