30975 – libksba new security issue CVE-2022-3515

Bug 30975 - libksba new security issue CVE-2022-3515

Summary: libksba new security issue CVE-2022-3515

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-10-17 16:49 CEST by Nicolas Salguero
Modified:	2022-11-02 00:00 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	libksba-1.5.0-1.mga8.src.rpm
CVE:	CVE-2022-3515
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2022-10-17 16:49:17 CEST

libksba 1.6.2 fixes a security issue:
https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html

Nicolas Salguero 2022-10-17 16:51:46 CEST

CVE: (none) => CVE-2022-3515
Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Source RPM: (none) => libksba-1.5.0-1.mga8.src.rpm

Comment 1 Nicolas Salguero 2022-10-17 16:55:13 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer Overflow in LibKSBA. (CVE-2022-3515)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3515
https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html
========================

Updated packages in core/updates_testing:
========================
lib(64)ksba8-1.5.0-1.1.mga8
lib(64)ksba-devel-1.5.0-1.1.mga8

from SRPM:
libksba-1.5.0-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 2 David Walser 2022-10-18 14:38:48 CEST

Debian has issued an advisory for this on October 17:
https://www.debian.org/security/2022/dsa-5255

Comment 3 Brian Rockwell 2022-10-25 20:33:39 CEST

The following 4 packages are going to be installed:

- lib64gpg-error-devel-1.41-1.mga8.x86_64
- lib64ksba-devel-1.5.0-1.1.mga8.x86_64
- lib64ksba8-1.5.0-1.1.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch

672KB of additional disk space will be used.


$ gpgconf --show-version

said 1.5.0

Created Cert
$ gpgsm --gen-key > x.pem


it worked.

That's my best guess on testing the library

CC: (none) => brtians1

Comment 4 Thomas Andrews 2022-10-29 02:43:22 CEST

Looks like you have a good start. 

Searching previous updates, there's a procedure at https://bugs.mageia.org/show_bug.cgi?id=11306#c3 (substitute "gpg2" for "gpg" in the test)

CC: (none) => andrewsfarm

Comment 5 Brian Rockwell 2022-10-30 04:16:13 CET

sorry no gpg2 in repo.

Comment 6 David Walser 2022-10-30 05:00:38 CET

gpg2 is a command name.  The package is gnupg2.

Comment 7 Brian Rockwell 2022-10-31 15:17:32 CET

yep gpg2 is installed.  Running into issues and don't have time to deal with them.  Someone else will need to validate this one.

Comment 8 Dave Hodgins 2022-10-31 17:35:12 CET

Validating based on comment 3. lib64ksba8 is used with the gpgsm command, not
with the gpg or gpg2 commands or with openpgp (which thunderbird uses).

gpgsm requires converting the gpg keys from the format used in pubring.gpg to
the format used in pubring.kbx

I don't know if any other Mageia packages use gpgsm. None of the ones I'm
familiar with use it in my usage or testing.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-01 22:35:42 CET

Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-11-02 00:00:26 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0404.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.