Bug 15717 - libksba new integer overflow security issue
Summary: libksba new integer overflow security issue
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/641765/
Whiteboard: has_procedure MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Reported: 2015-04-17 16:50 CEST by David Walser
Modified: 2016-05-11 18:10 CEST (History)
1 user (show)

See Also:
Source RPM: libksba-1.3.2-1.mga4.src.rpm
Status comment:


Description David Walser 2015-04-17 16:50:40 CEST
libksba 1.3.3 fixes a security issue and a couple minor bugs.

The NEWS file from the source says this:

Noteworthy changes in version 1.3.3 (2015-04-10) [C19/A11/R4]
* Fixed an integer overflow in the DN decoder.
* Now returns an error instead of terminating the process for certain bad BER encodings.
* Improved the parsing of utf-8 strings in DNs.
* Allow building with newer versions of Bison.
* Improvement building on Windows with newer versions of Mingw.

Updated packages uploaded for Mageia 4 and Cauldron.

For some reason, it hasn't been announced on the gnupg list, so I don't have any references at this time.

Testing information for this package is in a previous update, Bug 14663.


The libksba package has been updated to version 1.3.3, which fixes an integer
overflow in the DN decoder and a couple of other minor bugs.


Updated packages in core/updates_testing:

from libksba-1.3.3-1.mga4.src.rpm


Steps to Reproduce:
David Walser 2015-04-17 16:50:48 CEST

Whiteboard: (none) => has_procedure

Comment 1 David Walser 2015-04-17 20:55:50 CEST
Tested fine on Mageia 4 i586 using the first half of MrsB's previous procedure with gpg2.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 2 claire robinson 2015-04-22 18:01:29 CEST
Validating. Advisory uploaded.

Please push to 4 updates


Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-04-23 23:15:14 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2015-04-24 16:37:49 CEST

URL: (none) => http://lwn.net/Vulnerabilities/641765/

Comment 4 David Walser 2016-05-11 18:10:49 CEST
This update fixed CVE-2016-4354, CVE-2016-4355, and CVE-2016-4356:

Note You need to log in before you can comment on or make changes to this bug.