Bug 15717

Summary: libksba new integer overflow security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/641765/
Whiteboard: has_procedure MGA4-32-OK advisory
Source RPM: libksba-1.3.2-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-04-17 16:50:40 CEST 
libksba 1.3.3 fixes a security issue and a couple minor bugs.

The NEWS file from the source says this:

Noteworthy changes in version 1.3.3 (2015-04-10) [C19/A11/R4]
------------------------------------------------
* Fixed an integer overflow in the DN decoder.
* Now returns an error instead of terminating the process for certain bad BER encodings.
* Improved the parsing of utf-8 strings in DNs.
* Allow building with newer versions of Bison.
* Improvement building on Windows with newer versions of Mingw.

Updated packages uploaded for Mageia 4 and Cauldron.

For some reason, it hasn't been announced on the gnupg list, so I don't have any references at this time.

Testing information for this package is in a previous update, Bug 14663.

Advisory:
========================

The libksba package has been updated to version 1.3.3, which fixes an integer
overflow in the DN decoder and a couple of other minor bugs.

========================

Updated packages in core/updates_testing:
========================
libksba8-1.3.3-1.mga4
libksba-devel-1.3.3-1.mga4

from libksba-1.3.3-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-17 16:50:48 CEST

Whiteboard: (none) => has_procedure

Comment 1 David Walser 2015-04-17 20:55:50 CEST 
Tested fine on Mageia 4 i586 using the first half of MrsB's previous procedure with gpg2.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 2 claire robinson 2015-04-22 18:01:29 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-04-23 23:15:14 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0166.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-04-24 16:37:49 CEST

URL: (none) => http://lwn.net/Vulnerabilities/641765/

Comment 4 David Walser 2016-05-11 18:10:49 CEST 
This update fixed CVE-2016-4354, CVE-2016-4355, and CVE-2016-4356:
http://openwall.com/lists/oss-security/2016/04/29/8