19288 – libksba new DoS issue fixed in 1.3.5

Bug 19288 - libksba new DoS issue fixed in 1.3.5

Summary: libksba new DoS issue fixed in 1.3.5

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/699177/
Whiteboard:	has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-09-02 19:13 CEST by David Walser
Modified:	2016-09-21 22:39 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	libksba-1.3.4-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-09-02 19:13:28 CEST

libksba 1.3.5 has some security hardening, described in the quoted part at the bottom of this message:
http://openwall.com/lists/oss-security/2016/08/22/7

to address the issues described in this message:
http://openwall.com/lists/oss-security/2016/08/20/3

Fedora has issued an advisory for this on September 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUORSGVTYHQQKX2AYN7ASGUMPKFCV3HJ/

I fixed this in Cauldron already on August 22, but we should update Mageia 5 too.

Comment 1 Marja Van Waes 2016-09-06 21:09:25 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-09-09 19:15:11 CEST

Updated package uploaded for Mageia 5.

Testing information for this package is in a previous update, Bug 14663.
(Test using gpg2).

Advisory:
========================

Updated libksba packages fix security vulnerabilities:

It was found that an unproportionate amount of memory is allocated when parsing
crafted certificates in libskba, which may lead to DoS. Moreover in libksba
1.3.4, allocated memory is uninitialized and could potentially contain sensitive
data left in freed memory block.

References:
http://openwall.com/lists/oss-security/2016/08/20/3
http://openwall.com/lists/oss-security/2016/08/22/7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUORSGVTYHQQKX2AYN7ASGUMPKFCV3HJ/
========================

Updated packages in core/updates_testing:
========================
libksba8-1.3.5-1.mga5
libksba-devel-1.3.5-1.mga5

from libksba-1.3.5-1.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => has_procedure

Comment 3 Herman Viaene 2016-09-13 16:23:20 CEST

MGA5-32 on AcerD620 Xfce
No installation issues
Tested following bug11306 up to the deletion of the newly generated key. All successfull.
Remark: I got warnings 
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!

but those did not stop the test.

CC: (none) => herman.viaene

Herman Viaene 2016-09-13 16:23:43 CEST

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 4 Lewis Smith 2016-09-16 11:03:00 CEST

Testing Mageia5 x64 real hardware.
Updated from installed lib64ksba8-1.3.4-1.mga5 to lib64ksba8-1.3.5-1.mga5 no probs.
Using procedure given in
 https://bugs.mageia.org/show_bug.cgi?id=11306#c3
adapted for gpg2 & summarised below for up-to-date-ness. I must have a key of some sort already in place (for Advisories), so when the first passphrase/password was asked for (dialogue box), I was unsure whether it wanted a new one or the existing one. I gave the existing one. For simplicity, better to give a real/user name as a *single string* to save quoting it in later commands.

Generate a key:
 $ gpg2 --gen-key
[Lots of output & questions, where I accepted defaults where offered:]
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)      [Enter]
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)              [Enter]
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Lewis Smith
Email address: lewyssmith@rubbish.fr
Comment: Bug 19288
You selected this USER-ID:
    "Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
[Enigmatic dialogue, gave existing password]
[Same errors, ignored, noted in Comment 3]
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!
We need to generate a lot of random bytes. etc etc
[Long wait]
gpg: /home/lewis/.gnupg/trustdb.gpg: trustdb created
gpg: key 588DB37C marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/588DB37C 2016-09-16
      Key fingerprint = 0365 C16A 2FD1 F16F 471E  5925 1B18 24BC 588D B37C
uid       [ultimate] Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>
sub   2048R/500F5FEA 2016-09-16

Show it is there:
 $ gpg2 --list-keys
/home/lewis/.gnupg/pubring.gpg
------------------------------
pub   2048R/588DB37C 2016-09-16
uid       [ultimate] Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>
sub   2048R/500F5FEA 2016-09-16

Create a test file:
 $ echo "pgp2/lib64ksba8 test" > pgp2.txt
 $ cat pgp2.txt 
pgp2/lib64ksba8 test

Encrypt it:
 $ gpg2 -e -r 'Lewis Smith' pgp2.txt
 $ ls pgp2*
pgp2.txt  pgp2.txt.gpg
Then remove the original to allow for its subsequent decryption:
 $ rm pgp2.txt

Decrypt the encrypted file:
 $ gpg2 pgp2.txt.gpg 
You need a passphrase to unlock the secret key for
user: "Lewis Smith (Bug 19288) <lewyssmith@free.fr>"
2048-bit RSA key, ID 500F5FEA, created 2016-09-16 (main key ID 588DB37C)
[Passphrase/password dialogue]
[Same errors, ignored, noted in Comment 3]
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!
gpg: encrypted with 2048-bit RSA key, ID 500F5FEA, created 2016-09-16
      "Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>"

Check the result:
 $ ls pgp2*
pgp2.txt  pgp2.txt.gpg
 $ cat pgp2.txt 
pgp2/lib64ksba8 test

Delete the keys:
 $ gpg2 --delete-secret-keys 'Lewis Smith'
..
sec  2048R/588DB37C 2016-09-16 Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

 $ gpg2 --delete-key 'Lewis Smith'
..
pub  2048R/588DB37C 2016-09-16 Lewis Smith (Bug 19288) <lewyssmith@rubbish.fr>

Delete this key from the keyring? (y/N) y
 $ gpg2 --list-keys
gpg: checking the trustdb
gpg: no ultimately trusted keys found

This all seems OK.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Lewis Smith 2016-09-16 11:15:41 CEST

Update validated, advisory uploaded (which lacks CVEs).

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 6 Mageia Robot 2016-09-21 22:39:20 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0310.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.