Bug 2135610 (CVE-2022-3515) - CVE-2022-3515 libksba: integer overflow may lead to remote code execution
Summary: CVE-2022-3515 libksba: integer overflow may lead to remote code execution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3515
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2135617 2135695 2135696 2135697 2135698 2135699 2135700 2135701 2135702 2135703 2135704 2136431
Blocks: 2134910
TreeView+ depends on / blocked
 
Reported: 2022-10-18 05:39 UTC by TEJ RATHI
Modified: 2024-03-18 13:28 UTC (History)
39 users (show)

Fixed In Version: libksba 1.6.2
Clone Of:
Environment:
Last Closed: 2023-02-13 09:08:57 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:7096 0 None None None 2022-10-25 00:39:10 UTC
Red Hat Product Errata RHBA-2022:7097 0 None None None 2022-10-25 03:26:00 UTC
Red Hat Product Errata RHBA-2022:7098 0 None None None 2022-10-25 03:31:01 UTC
Red Hat Product Errata RHBA-2022:7099 0 None None None 2022-10-25 03:53:27 UTC
Red Hat Product Errata RHBA-2022:7138 0 None None None 2022-10-25 08:29:54 UTC
Red Hat Product Errata RHBA-2022:7139 0 None None None 2022-10-25 09:02:45 UTC
Red Hat Product Errata RHBA-2022:7141 0 None None None 2022-10-25 09:04:40 UTC
Red Hat Product Errata RHBA-2022:7174 0 None None None 2022-10-25 13:22:29 UTC
Red Hat Product Errata RHBA-2022:7175 0 None None None 2022-10-25 13:28:09 UTC
Red Hat Product Errata RHBA-2022:7193 0 None None None 2022-10-25 17:07:43 UTC
Red Hat Product Errata RHBA-2022:7195 0 None None None 2022-10-25 18:23:45 UTC
Red Hat Product Errata RHBA-2022:7196 0 None None None 2022-10-25 22:24:29 UTC
Red Hat Product Errata RHBA-2022:7197 0 None None None 2022-10-25 22:29:14 UTC
Red Hat Product Errata RHBA-2022:7199 0 None None None 2022-10-26 00:50:41 UTC
Red Hat Product Errata RHBA-2022:7204 0 None None None 2022-10-26 07:29:19 UTC
Red Hat Product Errata RHBA-2022:7222 0 None None None 2022-10-26 20:26:24 UTC
Red Hat Product Errata RHBA-2022:7223 0 None None None 2022-10-26 17:35:10 UTC
Red Hat Product Errata RHBA-2022:7224 0 None None None 2022-10-26 17:44:28 UTC
Red Hat Product Errata RHBA-2022:7227 0 None None None 2022-10-26 20:23:22 UTC
Red Hat Product Errata RHBA-2022:7235 0 None None None 2022-10-27 06:40:21 UTC
Red Hat Product Errata RHBA-2022:7241 0 None None None 2022-10-27 12:15:19 UTC
Red Hat Product Errata RHBA-2022:7245 0 None None None 2022-10-27 16:09:36 UTC
Red Hat Product Errata RHBA-2022:7246 0 None None None 2022-10-27 16:25:03 UTC
Red Hat Product Errata RHBA-2022:7247 0 None None None 2022-10-27 16:27:05 UTC
Red Hat Product Errata RHBA-2022:7250 0 None None None 2022-10-27 17:24:27 UTC
Red Hat Product Errata RHBA-2022:7251 0 None None None 2022-10-27 17:31:11 UTC
Red Hat Product Errata RHBA-2022:7260 0 None None None 2022-10-31 10:51:26 UTC
Red Hat Product Errata RHBA-2022:7264 0 None None None 2022-10-31 15:52:35 UTC
Red Hat Product Errata RHBA-2022:7267 0 None None None 2022-11-01 08:54:05 UTC
Red Hat Product Errata RHBA-2022:7270 0 None None None 2022-11-01 10:45:57 UTC
Red Hat Product Errata RHBA-2022:7271 0 None None None 2022-11-01 10:50:46 UTC
Red Hat Product Errata RHBA-2022:7275 0 None None None 2022-11-01 12:41:19 UTC
Red Hat Product Errata RHBA-2022:7310 0 None None None 2022-11-02 11:50:42 UTC
Red Hat Product Errata RHBA-2022:7406 0 None None None 2022-11-03 12:48:22 UTC
Red Hat Product Errata RHBA-2022:7425 0 None None None 2022-11-03 17:16:12 UTC
Red Hat Product Errata RHBA-2022:7431 0 None None None 2022-11-07 01:42:08 UTC
Red Hat Product Errata RHBA-2022:7432 0 None None None 2022-11-07 01:52:12 UTC
Red Hat Product Errata RHBA-2022:7440 0 None None None 2022-11-07 11:35:03 UTC
Red Hat Product Errata RHBA-2022:7441 0 None None None 2022-11-07 16:05:04 UTC
Red Hat Product Errata RHBA-2022:7442 0 None None None 2022-11-07 19:01:12 UTC
Red Hat Product Errata RHBA-2022:7891 0 None None None 2022-11-09 15:14:17 UTC
Red Hat Product Errata RHBA-2022:7898 0 None None None 2022-11-09 16:04:33 UTC
Red Hat Product Errata RHBA-2022:7930 0 None None None 2022-11-14 15:33:58 UTC
Red Hat Product Errata RHBA-2022:8510 0 None None None 2022-11-16 15:26:59 UTC
Red Hat Product Errata RHBA-2022:8539 0 None None None 2022-11-21 04:10:00 UTC
Red Hat Product Errata RHBA-2022:8577 0 None None None 2022-11-22 13:40:26 UTC
Red Hat Product Errata RHBA-2022:8599 0 None None None 2022-11-22 16:07:07 UTC
Red Hat Product Errata RHBA-2022:8658 0 None None None 2022-11-28 17:57:38 UTC
Red Hat Product Errata RHBA-2022:8802 0 None None None 2022-12-06 09:27:16 UTC
Red Hat Product Errata RHBA-2023:0001 0 None None None 2023-01-02 01:12:38 UTC
Red Hat Product Errata RHSA-2022:7088 0 None None None 2022-10-24 13:29:43 UTC
Red Hat Product Errata RHSA-2022:7089 0 None None None 2022-10-24 14:02:41 UTC
Red Hat Product Errata RHSA-2022:7090 0 None None None 2022-10-24 14:17:09 UTC
Red Hat Product Errata RHSA-2022:7209 0 None None None 2022-10-26 11:05:33 UTC
Red Hat Product Errata RHSA-2022:7283 0 None None None 2022-11-01 14:18:55 UTC
Red Hat Product Errata RHSA-2022:7927 0 None None None 2022-11-14 08:55:30 UTC
Red Hat Product Errata RHSA-2022:8598 0 None None None 2022-11-22 15:28:43 UTC

Description TEJ RATHI 2022-10-18 05:39:59 UTC 
A bug found in libksba, the library used by GnuPG for parsing the ASN.1 structures as used by S/MIME. The bug affects all versions of Libksba before 1.6.2 and may be used for remote code execution. 

https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
https://dev.gnupg.org/T6230
https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
https://lwn.net/Articles/911467/
Comment 1 TEJ RATHI 2022-10-18 05:51:22 UTC 
Created libksba tracking bugs for this issue:

Affects: fedora-all [bug 2135617]
Comment 4 TEJ RATHI 2022-10-18 12:40:05 UTC 
Upstream Commit: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=4b7d9cd4a018898d7714ce06f3faf2626c14582b
Comment 10 errata-xmlrpc 2022-10-24 13:29:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7088 https://access.redhat.com/errata/RHSA-2022:7088
Comment 11 errata-xmlrpc 2022-10-24 14:02:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7089 https://access.redhat.com/errata/RHSA-2022:7089
Comment 12 errata-xmlrpc 2022-10-24 14:17:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7090 https://access.redhat.com/errata/RHSA-2022:7090
Comment 13 errata-xmlrpc 2022-10-26 11:05:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:7209 https://access.redhat.com/errata/RHSA-2022:7209
Comment 14 errata-xmlrpc 2022-11-01 14:18:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:7283 https://access.redhat.com/errata/RHSA-2022:7283
Comment 15 Fedora Update System 2022-11-01 15:55:30 UTC 
FEDORA-2022-7c13845b0d has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 errata-xmlrpc 2022-11-14 08:55:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:7927 https://access.redhat.com/errata/RHSA-2022:7927
Comment 19 errata-xmlrpc 2022-11-22 15:28:40 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:8598 https://access.redhat.com/errata/RHSA-2022:8598
Comment 20 Product Security DevOps Team 2023-02-13 09:08:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3515
Note You need to log in before you can comment on or make changes to this bug.