Bug 30975 - libksba new security issue CVE-2022-3515
Summary: libksba new security issue CVE-2022-3515
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-10-17 16:49 CEST by Nicolas Salguero
Modified: 2022-11-02 00:00 CET (History)
5 users (show)

See Also:
Source RPM: libksba-1.5.0-1.mga8.src.rpm
CVE: CVE-2022-3515
Status comment:


Description Nicolas Salguero 2022-10-17 16:49:17 CEST
libksba 1.6.2 fixes a security issue:
Nicolas Salguero 2022-10-17 16:51:46 CEST

CVE: (none) => CVE-2022-3515
Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Source RPM: (none) => libksba-1.5.0-1.mga8.src.rpm

Comment 1 Nicolas Salguero 2022-10-17 16:55:13 CEST
Suggested advisory:

The updated packages fix a security vulnerability:

Integer Overflow in LibKSBA. (CVE-2022-3515)


Updated packages in core/updates_testing:

from SRPM:

Version: Cauldron => 8
Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 2 David Walser 2022-10-18 14:38:48 CEST
Debian has issued an advisory for this on October 17:
Comment 3 Brian Rockwell 2022-10-25 20:33:39 CEST
The following 4 packages are going to be installed:

- lib64gpg-error-devel-1.41-1.mga8.x86_64
- lib64ksba-devel-1.5.0-1.1.mga8.x86_64
- lib64ksba8-1.5.0-1.1.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch

672KB of additional disk space will be used.

$ gpgconf --show-version

said 1.5.0

Created Cert
$ gpgsm --gen-key > x.pem

it worked.

That's my best guess on testing the library

CC: (none) => brtians1

Comment 4 Thomas Andrews 2022-10-29 02:43:22 CEST
Looks like you have a good start. 

Searching previous updates, there's a procedure at https://bugs.mageia.org/show_bug.cgi?id=11306#c3 (substitute "gpg2" for "gpg" in the test)

CC: (none) => andrewsfarm

Comment 5 Brian Rockwell 2022-10-30 04:16:13 CET
sorry no gpg2 in repo.
Comment 6 David Walser 2022-10-30 05:00:38 CET
gpg2 is a command name.  The package is gnupg2.
Comment 7 Brian Rockwell 2022-10-31 15:17:32 CET
yep gpg2 is installed.  Running into issues and don't have time to deal with them.  Someone else will need to validate this one.
Comment 8 Dave Hodgins 2022-10-31 17:35:12 CET
Validating based on comment 3. lib64ksba8 is used with the gpgsm command, not
with the gpg or gpg2 commands or with openpgp (which thunderbird uses).

gpgsm requires converting the gpg keys from the format used in pubring.gpg to
the format used in pubring.kbx

I don't know if any other Mageia packages use gpgsm. None of the ones I'm
familiar with use it in my usage or testing.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-01 22:35:42 CET

Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-11-02 00:00:26 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.