libksba: Remote Code Execution — GLSA 202212-07

An integer overflow vulnerability has been found in libksba which could result in remote code execution.

Affected packages

dev-libs/libksba on all architectures
Affected versions < 1.6.3
Unaffected versions >= 1.6.3

Background

Libksba is a X.509 and CMS (PKCS#7) library.

Description

An integer overflow in parsing ASN.1 objects could lead to a buffer overflow.

Impact

Crafted ASN.1 objects could trigger an integer overflow and buffer overflow to result in remote code execution.

Workaround

There is no known workaround at this time.

Resolution

All libksba users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libksba-1.6.3"
 

References

Release date
December 28, 2022

Latest revision
December 28, 2022: 1

Severity
high

Exploitable
remote

Bugzilla entries