In the library libksba , developed by the GNUPG project and providing function for working with certificates X.509, revealed critical vulnerability ( CVE-2022-3515 ), leading to integer overflow and record of arbitrary data outside the selected buffer when analyzing the structures of ASN.1 used in S/MIME, X.509 and CMS. The problem is aggravated by the fact that the Libksba library is used in the GNUPG package and vulnerability can lead to remote execution of the attacking code when processing in GNUPG (GPGSM) of encrypted or signed data from files or postal messages using S/MIME. In the simplest case, it is enough to send a specially executed letter to attack a victim using a mail client with support for GNUPG and S/MIME.
Vulnerability can also be used to attack the servers Dirmngr , engaged in the loading and analysis of the lists of recalled certificates (CRLS) and verification of certificates used in TLS. The attack on Dirmngr can be committed from the side of the Web server, controlled by the attacker, through the return of specially designed CRLs or certificates. It is noted that publicly affordable exploites for GPGSM and DIRMNGR have not yet been revealed, but the vulnerability is typical and does not prevent the qualified attacking from preparing exploit on their own.
The vulnerability is eliminated in the issue LIBKSBA 1.6.2 and in binary assemblies /a>. In Linux distributions, the Libksba library is usually supplied in the form of a separate dependence, and in the assembly for Windows it is built into the main installation package with GNUPG.
After the update, you should not forget to restart the background processes by the GPGCONF –Kill All. To verify the presence of the problem in the output of the GPGCONF-SHOW-VERSIONS command, you can evaluate the value of the line “KSBA ….”, which should indicate a version of at least 1.6.2.
Updates for distributions have not yet been released, but you can follow their appearance on the pages: debian , ubuntu , gentoo , rheel , suse , arch , freeBSD . Vulnerability is also present in MSI and Appimage packages with GNUPG VS-Desktop and GPG4Win.