From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 56EE5158020 for ; Mon, 31 Oct 2022 01:53:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 54D02E09C4; Mon, 31 Oct 2022 01:45:27 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5D295E07E6 for ; Mon, 31 Oct 2022 01:16:53 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id D0701340D94 for ; Mon, 31 Oct 2022 01:16:52 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id B3F938D16A for ; Mon, 31 Oct 2022 01:16:52 +0000 (-00) Subject: [gentoo-announce] [ GLSA 202210-23 ] libksba: Remote Code Execution Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============0752584110209269013==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Mon, 31 Oct 2022 01:16:52 -0000 Message-ID: <166717901273.9.765762177480340188@90bb6a0775af> X-Archives-Salt: a19aa796-8d16-4f6c-87aa-ba6a1a3d0e42 X-Archives-Hash: 35f5cd5f7e79e6dce391d9583ead4455 --===============0752584110209269013== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libksba: Remote Code Execution Date: October 31, 2022 Bugs: #877453 ID: 202210-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== An integer overflow vulnerability has been found in libksba which could result in remote code execution. Background ========== Libksba is a X.509 and CMS (PKCS#7) library. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libksba < 1.6.2 >= 1.6.2 Description =========== An integer overflow in parsing ASN.1 objects could lead to a buffer overflow. Impact ====== Crafted ASN.1 objects could trigger an integer overflow and buffer overflow to result in remote code execution. Workaround ========== There is no known workaround at this time. Resolution ========== All libksba users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libksba-1.6.2" References ========== [ 1 ] CVE-2022-3515 https://nvd.nist.gov/vuln/detail/CVE-2022-3515 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202210-23 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============0752584110209269013== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmNfIgQACgkQFMQkOaVy +9nd8A//RJWCdP8RbRDrTlGHLf64Y7hA3z4xrjmaWDzpNpB7zl8yaqUw+K1RoKQb /gQN4MoZoGXYVVCXqk+iliDJ3IUxfHKscOFhoc8V6BUwHfoU8VDoR3ScRNrxEcdD M9DzRmuvrzi4sZv9r2D77ESR2x1j7tjOBDZ0FdhoU1L+B96D1Muf6fRZTrnXdSWm aPuSjZveg2s6Gpr3Jb22ZgT5lrjrPM+9Y1NCki9twmBQpsPWSaSGD2T3zIouZnZt Akc7H70bK1NuDThtBzmws50rq+CYS0giwUEX7CZzGg08qMKmc8kp1We65v2GY3H2 Q4sPRl6ingFzgL8tgM/0q6NGuRPR5eNi4lKrAhDgV6Ia8gd3wnDzqyIdXUL6XA30 UpxFU31jsB2t7ZapyWWCzLTVcYF7Ot8xa5/IeKufq0zn2S5+bTVs33CVCtSRsxd1 a45+fKueKOWOV4bIlFV3fWPT+w9E+LlnT0CdZKArQbgF7GWOevayFEYMg+Be3hk3 jiolEf+GGfV7yfUITk/LC1TeCRZjN3gX3Xi5CihNH6rv9bkUy6wt1IV03RzhsBW3 N98hoa5eTXtCbWm6/CBonr936mgXRl4q3MEi3ZShG8VLKQkmICXnDdzE9c6K30Aw 5aIF8P0A6rUcwgusYZCiwDFl74GYnz5mAjHYenpnGDA3dKfHTrM= =Yo7g -----END PGP SIGNATURE----- --===============0752584110209269013==--