[git] KSBA - branch, master, updated. libksba-1.3.3-7-g3f74c2c
by Werner Koch
cvs at cvs.gnupg.org
Tue May 3 16:08:04 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "KSBA is a library to access X.509 certificates and CMS data.".
The branch, master has been updated
via 3f74c2cc0068d0b3584627af73c8c42ce720a826 (commit)
via 6be61daac047d8e6aa941eb103f8e71a1d4e3c75 (commit)
via a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64 (commit)
from 3d968bbffc3a0acda890e342fbbfa5b34a26085e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3f74c2cc0068d0b3584627af73c8c42ce720a826
Author: Werner Koch <wk at gnupg.org>
Date: Tue May 3 16:06:52 2016 +0200
Fix an undefined return value in ksba_cert_get_digest_algo.
* src/cert.c (ksba_cert_get_digest_algo): Set ALGO in the error case.
* tests/cert-basic.c (one_file): Take care of printf which does not
handle NULL for %s
--
GnuPG-bug-id: 2343
Reported-by: Pascal Cuoq
diff --git a/src/cert.c b/src/cert.c
index f3ff6a1..dc97f83 100644
--- a/src/cert.c
+++ b/src/cert.c
@@ -464,7 +464,10 @@ ksba_cert_get_digest_algo (ksba_cert_t cert)
n = _ksba_asn_find_node (cert->root, "Certificate.signatureAlgorithm");
if (!n || n->off == -1)
- err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
+ {
+ algo = NULL;
+ err = gpg_error (GPG_ERR_UNKNOWN_ALGORITHM);
+ }
else
err = _ksba_parse_algorithm_identifier (cert->image + n->off,
n->nhdr + n->len, &nread, &algo);
diff --git a/tests/cert-basic.c b/tests/cert-basic.c
index 91b394e..4d460bc 100644
--- a/tests/cert-basic.c
+++ b/tests/cert-basic.c
@@ -448,7 +448,8 @@ one_file (const char *fname)
oid = ksba_cert_get_digest_algo (cert);
s = get_oid_desc (oid);
- printf (" hash algo.: %s%s%s%s\n", oid, s?" (":"",s?s:"",s?")":"");
+ printf (" hash algo.: %s%s%s%s\n",
+ oid?oid:"(null)", s?" (":"",s?s:"",s?")":"");
/* Under Windows the _ksba_keyinfo_from_sexp are not exported. */
#ifndef __WIN32
commit 6be61daac047d8e6aa941eb103f8e71a1d4e3c75
Author: Werner Koch <wk at gnupg.org>
Date: Tue May 3 16:01:09 2016 +0200
Fix an OOB read access in _ksba_dn_to_str.
* src/dn.c (append_utf8_value): Use a straightforward check to fix an
off-by-one.
--
The old fix for the problem from April 2015 had an off-by-one in the
bad encoding handing.
Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3
GnuPG-bug-id: 2344
Reported-by: Pascal Cuoq
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/src/dn.c b/src/dn.c
index d207bf0..cea18a1 100644
--- a/src/dn.c
+++ b/src/dn.c
@@ -332,11 +332,8 @@ append_utf8_value (const unsigned char *value, size_t length,
}
else
{
- if (n+nmore > length)
- nmore = length - n; /* Oops, encoding to short */
-
tmp[0] = *s++; n++;
- for (i=1; i <= nmore; i++)
+ for (i=1; n < length && i <= nmore; i++)
{
if ( (*s & 0xc0) != 0x80)
break; /* Invalid encoding - let the next cycle detect this. */
commit a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64
Author: Werner Koch <wk at gnupg.org>
Date: Tue May 3 14:10:04 2016 +0200
Fix possible read access beyond the buffer.
* src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check.
* src/cert.c (ksba_cert_get_cert_policies): Check TLV given length
against buffer length.
(ksba_cert_get_ext_key_usages): Ditto.
* src/ocsp.c (parse_asntime_into_isotime): Ditto.
--
The returned length of the object from _ksba_ber_parse_tl (ti.length)
was not always checked against the actual buffer length, thus leading
to a read access after the end of the buffer and thus a segv.
GnuPG-bug-id: 2344
Reported-by: Pascal Cuoq
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/src/ber-help.c b/src/ber-help.c
index f6a6692..87109f3 100644
--- a/src/ber-help.c
+++ b/src/ber-help.c
@@ -285,9 +285,15 @@ _ksba_ber_parse_tl (unsigned char const **buffer, size_t *size,
ti->buf[ti->nhdr++] = c;
len |= c & 0xff;
}
+ /* Sanity check for the length: This is done so that we can take
+ * the value for malloc plus some additional bytes without
+ * risking an overflow. */
+ if (len > (1 << 30))
+ return gpg_error (GPG_ERR_BAD_BER);
ti->length = len;
}
+
/* Without this kludge some example certs can't be parsed */
if (ti->class == CLASS_UNIVERSAL && !ti->tag)
ti->length = 0;
diff --git a/src/cert.c b/src/cert.c
index 7f19dc1..f3ff6a1 100644
--- a/src/cert.c
+++ b/src/cert.c
@@ -1335,9 +1335,15 @@ ksba_cert_get_cert_policies (ksba_cert_t cert, char **r_policies)
err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
goto leave;
}
+ if (ti.length > derlen)
+ {
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
if (!ti.length)
{
- err = gpg_error (GPG_ERR_INV_CERT_OBJ); /* no empty inner SEQ */
+ /* We do not accept an empty inner SEQ */
+ err = gpg_error (GPG_ERR_INV_CERT_OBJ);
goto leave;
}
if (ti.nhdr+ti.length > seqlen)
@@ -1356,6 +1362,11 @@ ksba_cert_get_cert_policies (ksba_cert_t cert, char **r_policies)
err = gpg_error (GPG_ERR_INV_CERT_OBJ);
goto leave;
}
+ if (ti.length > derlen)
+ {
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
if (ti.nhdr+ti.length > seqseqlen)
{
err = gpg_error (GPG_ERR_BAD_BER);
@@ -1458,6 +1469,16 @@ ksba_cert_get_ext_key_usages (ksba_cert_t cert, char **result)
err = gpg_error (GPG_ERR_INV_CERT_OBJ);
goto leave;
}
+ if (ti.ndef)
+ {
+ err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
+ goto leave;
+ }
+ if (ti.length > derlen)
+ {
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
suboid = ksba_oid_to_str (der, ti.length);
if (!suboid)
diff --git a/src/name.c b/src/name.c
index c734199..371fc41 100644
--- a/src/name.c
+++ b/src/name.c
@@ -113,7 +113,7 @@ _ksba_name_new_from_der (ksba_name_t *r_name,
*r_name = NULL;
- /* count and check for encoding errors - we won;t do this again
+ /* Count and check for encoding errors - we won't do this again
during the second pass */
der = image;
derlen = imagelen;
diff --git a/src/ocsp.c b/src/ocsp.c
index 85679bb..c053b18 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -231,6 +231,8 @@ parse_asntime_into_isotime (unsigned char const **buf, size_t *len,
&& (ti.tag == TYPE_UTC_TIME || ti.tag == TYPE_GENERALIZED_TIME)
&& !ti.is_constructed) )
err = gpg_error (GPG_ERR_INV_OBJ);
+ else if (ti.length > *len)
+ err = gpg_error (GPG_ERR_INV_BER);
else if (!(err = _ksba_asntime_to_iso (*buf, ti.length,
ti.tag == TYPE_UTC_TIME, isotime)))
parse_skip (buf, len, &ti);
-----------------------------------------------------------------------
Summary of changes:
src/ber-help.c | 6 ++++++
src/cert.c | 28 ++++++++++++++++++++++++++--
src/dn.c | 5 +----
src/name.c | 2 +-
src/ocsp.c | 2 ++
tests/cert-basic.c | 3 ++-
6 files changed, 38 insertions(+), 8 deletions(-)
hooks/post-receive
--
KSBA is a library to access X.509 certificates and CMS data.
http://git.gnupg.org
More information about the Gnupg-commits
mailing list