debian/0000775000000000000000000000000012715346046007200 5ustar debian/control0000664000000000000000000000333612435663015010605 0ustar Source: libksba Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler , Eric Dorland , James Westby , Peter Eisentraut Build-Depends: debhelper (>= 9), libgpg-error-dev (>= 1.8), dh-autoreconf Standards-Version: 3.9.5 Vcs-Git: git://anonscm.debian.org/pkg-phototools/libksba.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-gnutls/libksba.git Homepage: http://www.gnupg.org/related_software/libksba/ Package: libksba-dev Section: libdevel Architecture: any Depends: libksba8 (= ${binary:Version}), ${misc:Depends} Replaces: libksba0 Description: X.509 and CMS support library - development files KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. . KSBA provides these subsystems: ASN.1 Parser, BER Decoder, BER Encoder, Certificate Handling and CMS Handling. . This package contains the development library files. Package: libksba8 Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Pre-Depends: ${misc:Pre-Depends} Multi-Arch: same Description: X.509 and CMS support library KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. . KSBA provides these subsystems: ASN.1 Parser, BER Decoder, BER Encoder, Certificate Handling and CMS Handling. . This package contains the runtime library files. debian/libksba8.install0000664000000000000000000000002412246650452012261 0ustar usr/lib/*/lib*.so.* debian/libksba-dev.manpages0000664000000000000000000000002512246650452013073 0ustar debian/ksba-config.1 debian/changelog0000664000000000000000000002440612715345771011064 0ustar libksba (1.3.0-3ubuntu0.14.04.2) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via decoder stack overflow - debian/patches/CVE-2016-4353.patch: improve error handling in src/ber-decoder.c. - CVE-2016-4353 * SECURITY UPDATE: integer overflow in BER decoder - debian/patches/CVE-2016-4354-4355.patch: add overflow checks to src/ber-decoder.c. - CVE-2016-4354 - CVE-2016-4355 * SECURITY UPDATE: denial of service in bad encoding handling - debian/patches/CVE-2016-4356.patch: fix encoding of invalid utf-8 strings in src/dn.c. - CVE-2016-4356 * SECURITY UPDATE: denial of service in bad encoding handling - debian/patches/CVE-2016-4574.patch: fix OOB read access in src/dn.c. - CVE-2016-4574 * SECURITY UPDATE: denial of service via TLV given length - debian/patches/CVE-2016-4579.patch: fix possible read access beyond the buffer in src/ber-help.c, src/cert.c, src/name.c, src/ocsp.c. - CVE-2016-4579 -- Marc Deslauriers Fri, 13 May 2016 08:39:32 -0400 libksba (1.3.0-3ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service and possible code execution in ksba_oid_to_str(). - debian/patches/CVE-2014-9087.patch: check value in src/oid.c, added test to tests/t-oid.c, tests/Makefile.am, fix unrelated typo in tests/t-dnparser.c. - CVE-2014-9087 -- Marc Deslauriers Thu, 27 Nov 2014 12:57:14 -0500 libksba (1.3.0-3) unstable; urgency=medium * Point vcs* to git. * Convert to dh, compat level 9. * Add debian/upstream-signing-key.pgp (listed in debian/source/include-binaries) and update watchfile to check upstream signature. * Sync from Ubuntu: + Build using dh-autoreconf. (Does not benefit us yet on Debian, but will fix FTBFS on ppc64le once #726404 is fixed.) -- Andreas Metzler Mon, 23 Dec 2013 13:26:26 +0100 libksba (1.3.0-2) unstable; urgency=low * Upload to unstable. * Use dh v8 compat. -- Andreas Metzler Sat, 11 May 2013 17:44:01 +0200 libksba (1.3.0-1) experimental; urgency=low * New upstream version. + License of library changed from GPLv3+ to LGPLv3+/GPLv2. (Commandline utils and documentation stay GPLv3+). * [lintian]: Drop "Section: libs" from libksba binary package stanza in debian/control. -- Andreas Metzler Sat, 29 Sep 2012 14:19:05 +0200 libksba (1.2.0-2) unstable; urgency=low * Build for multi-arch. * Stop setting CFLAGS += -Wall, it is set by default again. -- Andreas Metzler Sun, 19 Jun 2011 14:02:59 +0200 libksba (1.2.0-1) unstable; urgency=low * New upstream version. * Symbols added, bump shlibs. -- Andreas Metzler Sat, 05 Mar 2011 14:22:57 +0100 libksba (1.1.0-2) unstable; urgency=low * Upload to unstable. * Set CFLAGS += -Wall, the latest combination of cdbs + dpkg-dev does not seem to set it by default. -- Andreas Metzler Sat, 19 Feb 2011 15:49:20 +0100 libksba (1.1.0-1) experimental; urgency=low * New upstream version. * Change libksba-dev dependency on libksba8 to =${binary:Version (from >=). * Build-depend on libgpg-error-dev (>= 1.8). * Symbols added, bump shlibs. * Use dpkg-source v3, drop cdbs simple-patchsys. * New upstream does not build static libs by default, invoke ./configure with --enable-static. * Switch to dh compat level 7. (No changes except for bumping cdbs/debhelper build-depends. -- Andreas Metzler Wed, 22 Dec 2010 10:38:18 +0100 libksba (1.0.7-2) unstable; urgency=low * Stop shipping la file. (squeeze release goal) * Stop double installing info files with both dh_install and dh_installinfo. -- Andreas Metzler Wed, 26 Aug 2009 19:17:18 +0200 libksba (1.0.7-1) unstable; urgency=low * New upstream version. * Standards-Version: 3.8.2 - No changes required. * Remove cruft from debian/rules. -- Andreas Metzler Sat, 18 Jul 2009 10:06:31 +0200 libksba (1.0.6-1) unstable; urgency=low * New upstream release. * Standards-Version: 3.8.1, no changes required. -- Andreas Metzler Thu, 11 Jun 2009 09:39:19 +0200 libksba (1.0.5-1) unstable; urgency=low [ Peter Eisentraut ] * debian/watch: force passive FTP, since ftp.gnupg.org seems unhappy with active * Changed XS-Vcs-* control fields to Vcs-* [ Andreas Metzler ] * New upstream release. * [lintian] Use ${misc:Depends} for libksba-dev, too. * Standards-Version 3.8.0, rename debian/README.source_and_patches to debian/README.source -- Andreas Metzler Sun, 22 Feb 2009 12:30:11 +0100 libksba (1.0.3-1) unstable; urgency=low * New upstream bugfix release. * Standards-Version: 3.7.3. ${binary:Version} instead of ${Source-Version}. * Point watchfile to ftp://ftp.gnupg.org/ since http seems to be broken. -- Andreas Metzler Sat, 16 Feb 2008 13:51:42 +0100 libksba (1.0.2-1) unstable; urgency=low * New upstream release * Updated build dependencies: - bump libgpg-error-dev version requirement - drop bison * Added XS-Vcs- control fields * Updated copyright to GPL version 3 * Bumped shlibs -- Peter Eisentraut Wed, 08 Aug 2007 00:51:00 +0200 libksba (1.0.1-2) unstable; urgency=low * Upload to unstable. * Debhelper v5 mode. -- Andreas Metzler Sun, 8 Apr 2007 17:24:22 +0200 libksba (1.0.1-1) experimental; urgency=low [ Andreas Metzler ] * Fix watchfile to not search for alpha versions anymore. * New upstream version. -- Andreas Metzler Sat, 3 Feb 2007 11:20:28 +0100 libksba (1.0.0-1) unstable; urgency=low [ Peter Eisentraut ] * New upstream release. * Adjusted watch file for new download location. * Updated build dependencies: - drop libgcrypt11-dev and texinfo. - bump libgpg-error-dev version requirement. - bump debhelper build-dependency. * Removed redundant .docs files [ Andreas Metzler ] * Bump shlibs. * Add Peter Eisentraut to uploaders. -- Andreas Metzler Thu, 7 Sep 2006 19:44:29 +0200 libksba (0.9.16-1) unstable; urgency=low [ James Westby ] * New upstream release. [ Andreas Metzler ] * Bump shlibs, as some stuff has been added to the interface. -- Andreas Metzler Sat, 12 Aug 2006 19:34:31 +0200 libksba (0.9.15-1) unstable; urgency=low * New upstream version. - unbreaks S/mime validation in kmail. (Closes: #375084) - fix watch file * Update debian/copright, now featuring current FSF address. -- Andreas Metzler Fri, 23 Jun 2006 19:31:47 +0200 libksba (0.9.14-1) unstable; urgency=low [ James Westby ] * New maintainer team. Thanks, Matthias for all the work you did. * Set maintainer to alioth mailinglist. * New upstream release. * Use compat 4. - Build depends on debhelper (>= 4.1). - Add ${misc:Depends} to libksba8. * Clean packaging against upstream tarball. * Drop debian/libksba8.dirs and debian/libksba-dev.dirs. dh_* will generate the necessary directories. * Remove the unneeded debian/libksba0* files. * Remove the maintainer script templates, dh_* will create them as needed. * Build-Depends on autotools-dev. * Added Section: libs to debian/control. (Linda warning). * Standards-Version: 3.7.2. No changes. * Transition debian/rules to cdbs. - Using cdbs' simple-patchsys.mk, see debian/README.source_and_patches * Replace debian/*.files with debian/*.install [ Andreas Metzler ] * Update debian/copyright and include an actual copyright statement. * Add --enable-ld-version-script to DEB_CONFIGURE_EXTRA_FLAGS to force versioning of symbols, instead of patching ./configure.in. -- Andreas Metzler Thu, 15 Jun 2006 16:09:35 +0200 libksba (0.9.13-1) unstable; urgency=low * New upstream release 0.9.13 * Closes:#347667 (new release wanted) -- Matthias Urlichs Tue, 24 Jan 2006 08:24:42 +0100 libksba (0.9.12-1) unstable; urgency=low * New Upstream version. - Upgraded version for makeshlibs. -- Matthias Urlichs Thu, 20 Oct 2005 13:42:07 +0200 libksba (0.9.11-2) unstable; urgency=low * Added a version number to dh_mkshlibs (#324611). -- Matthias Urlichs Sun, 11 Sep 2005 09:34:49 +0200 libksba (0.9.11-1) unstable; urgency=low * New Upstream version. -- Matthias Urlichs Mon, 1 Aug 2005 01:40:34 +0200 libksba (0.9.9-3) unstable; urgency=low * Add a debian/watch file. -- Matthias Urlichs Sat, 9 Oct 2004 18:15:49 +0200 libksba (0.9.9-2) unstable; urgency=medium * libksba-dev needs a Replaces: on libksba0 because the latter includes the ksba-config binary. Ouch. - Closes: #273111: libksba-dev: Error overwriting `/usr/bin/ksba-config' -- Matthias Urlichs Fri, 24 Sep 2004 08:38:34 +0200 libksba (0.9.9-1) unstable; urgency=medium * New Upstream version. - Fixed a bug in OCSP request generation which breaks multi-level certificate chains. * Taken over. -- Matthias Urlichs Wed, 18 Aug 2004 08:16:56 +0200 libksba (0.9.7-0.1) experimental; urgency=low * Updated to version 0.9.7. -- Matthias Urlichs Mon, 14 Jun 2004 17:49:17 +0200 libksba (0.9.4-0.1) experimental; urgency=low * Took over packaging (the ITP is 320 days old). Closes:#187547 * Updated to version 0.9.3. * Build-Depend on libgpg-error-dev, libgcrypt7-dev, byacc * Added manpage for ksba-config * The library package is at version 8, thus: rename libksba0 to libksba8. * configure.ac: AM_PROG_LIBTOOL => AC_PROG_LIBTOOL * added postinst and postrm for debhelper/ldconfig * Missed dependency on texinfo. -- Matthias Urlichs Wed, 18 Feb 2004 06:20:25 +0100 libksba (0.4.6-0woody2) unstable; urgency=low * added a make check after make to be on the safe side -- Ralf Nolden (KDE) Sat, 18 Jan 2003 17:23:16 +0100 libksba (0.4.3-0) unstable; urgency=low * Initial packaging. -- Marcus Brinkmann Thu, 25 Jul 2002 21:50:21 +0200 debian/source/0000775000000000000000000000000012256024261010470 5ustar debian/source/include-binaries0000664000000000000000000000004012256024261013622 0ustar debian/upstream-signing-key.pgp debian/source/format0000664000000000000000000000001412246650452011704 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000212256015715010372 0ustar 9 debian/patches/0000775000000000000000000000000012715345402010622 5ustar debian/patches/CVE-2014-9087.patch0000664000000000000000000001420012435662766013264 0ustar From f715b9e156dfa99ae829fc694e5a0abd23ef97d7 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 25 Nov 2014 11:47:28 +0100 Subject: [PATCH] Fix buffer overflow in ksba_oid_to_str. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * src/oid.c (ksba_oid_to_str): Fix unsigned underflow. * tests/Makefile.am (noinst_PROGRAMS): Move t-oid to .. (TESTS): here. * tests/t-oid.c (test_oid_to_str): New. (main): Run the new tests by default. The former functionality requires the use of one of the new options. -- The code has an obvious error by not considering invalid encoding for arc-2. A first byte of 0x80 can be used to make a value of less then 80 and we then subtract 80 from that value as required by the OID encoding rules. Due to the unsigned integer this results in a pretty long value which won't fit anymore into the allocated buffer. The fix is obvious. Also added a few simple test cases. Note that we keep on using sprintf instead of snprintf because managing the remaining length of the buffer would probably be more error prone than assuring that the buffer is large enough. Getting rid of sprintf altogether by using direct conversion along with membuf_t like code might be possible. Reported-by: Hanno Böck Signed-off-by: Werner Koch --- src/oid.c | 2 ++ tests/Makefile.am | 4 +-- tests/t-dnparser.c | 2 +- tests/t-oid.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 4 files changed, 99 insertions(+), 6 deletions(-) Index: libksba-1.3.0/src/oid.c =================================================================== --- libksba-1.3.0.orig/src/oid.c 2014-11-27 12:39:39.306011407 -0500 +++ libksba-1.3.0/src/oid.c 2014-11-27 12:39:39.302011374 -0500 @@ -94,6 +94,8 @@ val <<= 7; val |= buf[n] & 0x7f; } + if (val < 80) + goto badoid; val -= 80; sprintf (p, "2.%lu", val); p += strlen (p); Index: libksba-1.3.0/tests/Makefile.am =================================================================== --- libksba-1.3.0.orig/tests/Makefile.am 2014-11-27 12:39:39.306011407 -0500 +++ libksba-1.3.0/tests/Makefile.am 2014-11-27 12:40:07.950251485 -0500 @@ -39,12 +39,12 @@ BUILT_SOURCES = oidtranstbl.h CLEANFILES = oidtranstbl.h -TESTS = cert-basic t-crl-parser t-dnparser +TESTS = cert-basic t-crl-parser t-dnparser t-oid AM_CFLAGS = $(GPG_ERROR_CFLAGS) noinst_HEADERS = t-common.h -noinst_PROGRAMS = $(TESTS) t-cms-parser t-crl-parser t-dnparser t-ocsp t-oid +noinst_PROGRAMS = $(TESTS) t-cms-parser t-crl-parser t-dnparser t-ocsp LDADD = ../src/libksba.la $(GPG_ERROR_LIBS) t_ocsp_SOURCES = t-ocsp.c sha1.c Index: libksba-1.3.0/tests/t-dnparser.c =================================================================== --- libksba-1.3.0.orig/tests/t-dnparser.c 2014-11-27 12:39:39.306011407 -0500 +++ libksba-1.3.0/tests/t-dnparser.c 2014-11-27 12:39:39.302011374 -0500 @@ -144,7 +144,7 @@ if (!feof (stdin)) fail ("read error or input too large"); - fail ("no yet implemented"); + fail ("not yet implemented"); } else if (argc == 2 && !strcmp (argv[1], "--to-der") ) Index: libksba-1.3.0/tests/t-oid.c =================================================================== --- libksba-1.3.0.orig/tests/t-oid.c 2014-11-27 12:39:39.306011407 -0500 +++ libksba-1.3.0/tests/t-oid.c 2014-11-27 12:39:39.302011374 -0500 @@ -27,6 +27,9 @@ #include "../src/ksba.h" +#define PGM "t-oid" +#define BADOID "1.3.6.1.4.1.11591.2.12242973" + static void * read_into_buffer (FILE *fp, size_t *r_length) @@ -68,23 +71,104 @@ } +static void +test_oid_to_str (void) +{ + struct { + unsigned int binlen; + unsigned char *bin; + char *str; + } tests[] = { + + { 7, "\x02\x82\x06\x01\x0A\x0C\x00", + "0.2.262.1.10.12.0" + }, + { 7, "\x02\x82\x06\x01\x0A\x0C\x01", + "0.2.262.1.10.12.1" + }, + { 7, "\x2A\x86\x48\xCE\x38\x04\x01", + "1.2.840.10040.4.1" + }, + { 7, "\x2A\x86\x48\xCE\x38\x04\x03", + "1.2.840.10040.4.3" + }, + { 10, "\x2B\x06\x01\x04\x01\xDA\x47\x02\x01\x01", + "1.3.6.1.4.1.11591.2.1.1" + }, + { 3, "\x55\x1D\x0E", + "2.5.29.14" + }, + { 9, "\x80\x02\x70\x50\x25\x46\xfd\x0c\xc0", + BADOID + }, + { 1, "\x80", + BADOID + }, + { 2, "\x81\x00", + "2.48" + }, + { 2, "\x81\x01", + "2.49" + }, + { 2, "\x81\x7f", + "2.175" + }, + { 2, "\x81\x80", /* legal encoding? */ + "2.48" + }, + { 2, "\x81\x81\x01", /* legal encoding? */ + "2.49" + }, + { 0, "", + "" + }, + + { 0, NULL, NULL } + }; + int tidx; + char *str; + + for (tidx=0; tests[tidx].bin; tidx++) + { + str = ksba_oid_to_str (tests[tidx].bin, tests[tidx].binlen); + if (!str) + { + perror ("ksba_oid_to_str failed"); + exit (1); + } + if (strcmp (tests[tidx].str, str)) + { + fprintf (stderr, "ksba_oid_to_str test %d failed\n", tidx); + fprintf (stderr, " got=%s\n", str); + fprintf (stderr, " want=%s\n", tests[tidx].str); + exit (1); + } + } +} + int main (int argc, char **argv) { gpg_error_t err; + if (argc) { argc--; argv++; } - if (argc) + + if (!argc) + { + test_oid_to_str (); + } + else if (!strcmp (*argv, "--from-str")) { unsigned char *buffer; size_t n, buflen; - for ( ;argc ; argc--, argv++) + for (argv++,argc-- ; argc; argc--, argv++) { err = ksba_oid_from_str (*argv, &buffer, &buflen); if (err) @@ -100,18 +184,25 @@ free (buffer); } } - else + else if (!strcmp (*argv, "--to-str")) { char *buffer; size_t buflen; char *result; + argv++;argc--; + buffer = read_into_buffer (stdin, &buflen); result = ksba_oid_to_str (buffer, buflen); free (buffer); printf ("%s\n", result? result:"[malloc failed]"); free (result); } + else + { + fputs ("usage: "PGM" [--from-str|--to-str]\n", stderr); + return 1; + } return 0; } debian/patches/CVE-2016-4353.patch0000664000000000000000000001066112715345340013247 0ustar From 07116a314f4dcd4d96990bbd74db95a03a9f650a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 9 Apr 2015 11:50:03 +0200 Subject: [PATCH] Do not abort on decoder stack overflow. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * src/ber-decoder.c (push_decoder_state, pop_decoder_state): Return an error code. (set_error): Prefix error message with "ksba:". Act on new return code. (decoder_next): Act on new return code. -- This changes the behaviour from gpgsm: unknown hash algorithm '1.8.48.48.48.48.48.48.48.48' gpgsm: detached signature w/o data - assuming certs-only ERROR: decoder stack overflow! Aborted to gpgsm: detached signature w/o data - assuming certs-only ksba: ber-decoder: stack overflow! gpgsm: ksba_cms_parse failed: Limit reached Use "gpgsm --verify FILE" to exhibit the problem. FILE is -----BEGIN PGP ARMORED FILE----- MDAGCSqGSIb3DQEHAqCAMDACAQExDzANBgkwMDAwMDAwMDAwADCABgkwMDAwMDAw MDAAMDEwoIGTMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAjMDA= =PQdP -----END PGP ARMORED FILE----- Reported-by: Hanno Böck Signed-off-by: Werner Koch --- src/ber-decoder.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) Index: libksba-1.3.0/src/ber-decoder.c =================================================================== --- libksba-1.3.0.orig/src/ber-decoder.c 2016-05-13 08:38:53.642815807 -0400 +++ libksba-1.3.0/src/ber-decoder.c 2016-05-13 08:38:53.642815807 -0400 @@ -1,5 +1,5 @@ /* ber-decoder.c - Basic Encoding Rules Decoder - * Copyright (C) 2001, 2004, 2006, 2012 g10 Code GmbH + * Copyright (C) 2001, 2004, 2006, 2012, 2015 g10 Code GmbH * * This file is part of KSBA. * @@ -158,26 +158,28 @@ } /* Push ITEM onto the stack */ -static void +static gpg_error_t push_decoder_state (DECODER_STATE ds) { if (ds->idx >= ds->stacksize) { - fprintf (stderr, "ERROR: decoder stack overflow!\n"); - abort (); + fprintf (stderr, "ksba: ber-decoder: stack overflow!\n"); + return gpg_error (GPG_ERR_LIMIT_REACHED); } ds->stack[ds->idx++] = ds->cur; + return 0; } -static void +static gpg_error_t pop_decoder_state (DECODER_STATE ds) { if (!ds->idx) { - fprintf (stderr, "ERROR: decoder stack underflow!\n"); - abort (); + fprintf (stderr, "ksba: ber-decoder: stack underflow!\n"); + return gpg_error (GPG_ERR_INTERNAL); } ds->cur = ds->stack[--ds->idx]; + return 0; } @@ -185,7 +187,7 @@ static int set_error (BerDecoder d, AsnNode node, const char *text) { - fprintf (stderr,"ber-decoder: node `%s': %s\n", + fprintf (stderr,"ksba: ber-decoder: node `%s': %s\n", node? node->name:"?", text); d->last_errdesc = text; return gpg_error (GPG_ERR_BAD_BER); @@ -936,9 +938,9 @@ && (ds->cur.nread > ds->stack[ds->idx-1].length)) { - fprintf (stderr, " ERROR: object length field " + fprintf (stderr, "ksba: ERROR: object length field " "%d octects too large\n", - ds->cur.nread > ds->cur.length); + ds->cur.nread - ds->cur.length); ds->cur.nread = ds->cur.length; } if ( ds->idx @@ -948,7 +950,9 @@ >= ds->stack[ds->idx-1].length)))) { int n = ds->cur.nread; - pop_decoder_state (ds); + err = pop_decoder_state (ds); + if (err) + return err; ds->cur.nread += n; ds->cur.went_up++; } @@ -964,7 +968,9 @@ /* prepare for the next level */ ds->cur.length = ti.length; ds->cur.ndef_length = ti.ndef; - push_decoder_state (ds); + err = push_decoder_state (ds); + if (err) + return err; ds->cur.length = 0; ds->cur.ndef_length = 0; ds->cur.nread = 0; debian/patches/CVE-2016-4354-4355.patch0000664000000000000000000002104112715345350013641 0ustar From aea7b6032865740478ca4b706850a5217f1c3887 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 9 Apr 2015 11:17:28 +0200 Subject: [PATCH] Fix integer overflow in the BER decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * src/ber-decoder.c (ber_decoder_s): Change val.length from int to size_t. (sum_a1_a2_gt_b, sum_a1_a2_ge_b): New. (decoder_next): Check for integer overflow. Use new sum function for size check. (_ksba_ber_decoder_dump): Use size_t for n to match change of val.length. Adjust printf fomrat. Check for integer overflow and use gpg_error_from_syserror instead of GPG_ERR_ENOMEM. (_ksba_ber_decoder_decode): Use new sum function for size check. Check for integer overflow. Use size_t for n to match change of val.length. -- The actual bug described below is due to assigning an int (val.length) to a size_t (ti.length). The int was too large and thus negative so that the condition to check for too large objects didn't worked. Changing the type would have been enough but other conditions are possible. Thus the introduction of sum_a1_a2_ge_b for overflow checking and checks when adding 100 extra bytes to malloc calls are added. Use "gpgsm --verify FILE" to exhibit the problem. FILE is -----BEGIN PGP ARMORED FILE----- MDAGCSqGSIb3DQEHAqCAMIACAQExDzANBgkwMDAwMDAwMDAwADAwBhcwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMAAwMTAGCTAwMDAwMDAwMDAwBgkwMDAwMDAwMDAwMAYJ MDAwMDAwMDAwMDAXLDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwCoYwMP////UwMDAwMDAwMDAwMDAwMDAwMA== =tvju -----END PGP ARMORED FILE----- Without the patch this error occured: gpgsm: unknown hash algorithm '1.8.48.48.48.48.48.48.48.48' gpgsm: detached signature w/o data - assuming certs-only ================================================================= ==14322==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000aded at pc 0x462ca8 bp 0x7fffd5928d90 sp 0x7fffd5928d80 WRITE of size 1 at 0x60b00000aded thread T0 #0 0x462ca7 in base64_reader_cb [...]-2.1.2/sm/base64.c:363 #1 0x7f35e70b6365 (/usr/lib64/libksba.so.8+0x7365) #2 0x7f35e70bee11 (/usr/lib64/libksba.so.8+0xfe11) #3 0x7f35e70c75ed (/usr/lib64/libksba.so.8+0x185ed) #4 0x7f35e70c7a9d (/usr/lib64/libksba.so.8+0x18a9d) #5 0x7f35e70c356f (/usr/lib64/libksba.so.8+0x1456f) #6 0x7f35e70c58bf (/usr/lib64/libksba.so.8+0x168bf) #7 0x48cbee in gpgsm_verify [...]/gnupg-2.1.2/sm/verify.c:171 #8 0x412901 in main /data/gnupg/gnupg-2.1.2/sm/gpgsm.c:1795 #9 0x7f35e68d5f9f in __libc_start_main ([...] #10 0x415a91 (/data/gnupg/gnupg-2.1.2/sm/gpgsm+0x415a91) 0x60b00000aded is located 0 bytes to the right of 109-byte region [0x60b00000ad80,0x60b00000aded) allocated by thread T0 here: #0 0x7f35e782e6f7 in malloc [...] #1 0x7f35e75040b0 (/usr/lib64/libgcrypt.so.20+0xc0b0) SUMMARY: AddressSanitizer: heap-buffer-overflow [...] Shadow bytes around the buggy address: 0x0c167fff9560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c167fff95b0: 00 00 00 00 00 00 00 00 00 00 00 00 00[05]fa fa 0x0c167fff95c0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c167fff95d0: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 Reported-by: Hanno Böck Signed-off-by: Werner Koch --- src/ber-decoder.c | 71 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 17 deletions(-) Index: libksba-1.3.0/src/ber-decoder.c =================================================================== --- libksba-1.3.0.orig/src/ber-decoder.c 2016-05-13 08:39:01.142787782 -0400 +++ libksba-1.3.0/src/ber-decoder.c 2016-05-13 08:39:01.138787797 -0400 @@ -100,7 +100,7 @@ struct { int primitive; /* current value is a primitive one */ - int length; /* length of the primitive one */ + size_t length; /* length of the primitive one */ int nhdr; /* length of the header */ int tag; int is_endtag; @@ -109,6 +109,23 @@ }; + +/* Evaluate with overflow check: A1 + A2 > B */ +static inline int +sum_a1_a2_gt_b (size_t a1, size_t a2, size_t b) +{ + size_t sum = a1 + a2; + return (sum < a1 || sum > b); +} + +/* Evaluate with overflow check: A1 + A2 >= B */ +static inline int +sum_a1_a2_ge_b (size_t a1, size_t a2, size_t b) +{ + size_t sum = a1 + a2; + return (sum < a1 || sum >= b); +} + static DECODER_STATE @@ -841,14 +858,16 @@ { /* We need some extra bytes to store the stuff we read ahead at the end of the module which is later pushed back. */ - d->image.length = ti.length + 100; d->image.used = 0; + d->image.length = ti.length + 100; + if (d->image.length < ti.length) + return gpg_error (GPG_ERR_BAD_BER); d->image.buf = xtrymalloc (d->image.length); if (!d->image.buf) return gpg_error (GPG_ERR_ENOMEM); } - if (ti.nhdr + d->image.used >= d->image.length) + if (sum_a1_a2_ge_b (ti.nhdr, d->image.used, d->image.length)) return set_error (d, NULL, "image buffer too short to store the tag"); memcpy (d->image.buf + d->image.used, ti.buf, ti.nhdr); @@ -1047,7 +1066,7 @@ int depth = 0; AsnNode node; unsigned char *buf = NULL; - size_t buflen = 0;; + size_t buflen = 0; if (!d) return gpg_error (GPG_ERR_INV_VALUE); @@ -1069,9 +1088,9 @@ if (node) depth = distance (d->root, node); - fprintf (fp, "%4lu %4u:%*s", + fprintf (fp, "%4lu %4lu:%*s", ksba_reader_tell (d->reader) - d->val.nhdr, - d->val.length, + (unsigned long)d->val.length, depth*2, ""); if (node) _ksba_asn_node_dump (node, fp); @@ -1080,16 +1099,22 @@ if (node && d->val.primitive) { - int i, n, c; + size_t n; + int i, c; char *p; if (!buf || buflen < d->val.length) { xfree (buf); buflen = d->val.length + 100; - buf = xtrymalloc (buflen); - if (!buf) - err = gpg_error (GPG_ERR_ENOMEM); + if (buflen < d->val.length) + err = gpg_error (GPG_ERR_BAD_BER); /* Overflow */ + else + { + buf = xtrymalloc (buflen); + if (!buf) + err = gpg_error_from_syserror (); + } } for (n=0; !err && n < d->val.length; n++) @@ -1177,8 +1202,6 @@ while (!(err = decoder_next (d))) { - int n, c; - node = d->val.node; /* Fixme: USE_IMAGE is only not used with the ber-dump utility and thus of no big use. We should remove the other code @@ -1194,7 +1217,7 @@ if (node->type == TYPE_ANY) node->actual_type = d->val.tag; } - if (d->image.used + d->val.length > d->image.length) + if (sum_a1_a2_gt_b (d->image.used, d->val.length, d->image.length)) err = set_error(d, NULL, "TLV length too large"); else if (d->val.primitive) { @@ -1202,18 +1225,32 @@ d->image.buf + d->image.used, d->val.length)) err = eof_or_error (d, 1); else - d->image.used += d->val.length; + { + size_t sum = d->image.used + d->val.length; + if (sum < d->image.used) + err = gpg_error (GPG_ERR_BAD_BER); + else + d->image.used = sum; + } } } else if (node && d->val.primitive) { + size_t n; + int c; + if (!buf || buflen < d->val.length) { xfree (buf); buflen = d->val.length + 100; - buf = xtrymalloc (buflen); - if (!buf) - err = gpg_error (GPG_ERR_ENOMEM); + if (buflen < d->val.length) + err = gpg_error (GPG_ERR_BAD_BER); + else + { + buf = xtrymalloc (buflen); + if (!buf) + err = gpg_error_from_syserror (); + } } for (n=0; !err && n < d->val.length; n++) debian/patches/series0000664000000000000000000000017512715345375012053 0ustar CVE-2014-9087.patch CVE-2016-4353.patch CVE-2016-4354-4355.patch CVE-2016-4356.patch CVE-2016-4574.patch CVE-2016-4579.patch debian/patches/CVE-2016-4574.patch0000664000000000000000000000222712715345371013257 0ustar From 6be61daac047d8e6aa941eb103f8e71a1d4e3c75 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 3 May 2016 16:01:09 +0200 Subject: [PATCH] Fix an OOB read access in _ksba_dn_to_str. * src/dn.c (append_utf8_value): Use a straightforward check to fix an off-by-one. -- The old fix for the problem from April 2015 had an off-by-one in the bad encoding handing. Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 GnuPG-bug-id: 2344 Reported-by: Pascal Cuoq Signed-off-by: Werner Koch --- src/dn.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/dn.c b/src/dn.c index d207bf0..cea18a1 100644 --- a/src/dn.c +++ b/src/dn.c @@ -332,11 +332,8 @@ append_utf8_value (const unsigned char *value, size_t length, } else { - if (n+nmore > length) - nmore = length - n; /* Oops, encoding to short */ - tmp[0] = *s++; n++; - for (i=1; i <= nmore; i++) + for (i=1; n < length && i <= nmore; i++) { if ( (*s & 0xc0) != 0x80) break; /* Invalid encoding - let the next cycle detect this. */ -- 2.8.0.rc3 debian/patches/CVE-2016-4356.patch0000664000000000000000000001035212715345360013251 0ustar From 243d12fdec66a4360fbb3e307a046b39b5b4ffc3 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 8 Apr 2015 18:51:21 +0200 Subject: [PATCH] Fix encoding of invalid utf-8 strings in dn.c MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * src/dn.c (append_quoted, append_atv): Use snprintf. (append_utf8_value): Fix invalid encoding handling. -- An invalid utf-8 encoding will make the loop in append_utf8_value run once more with N > length which is not found by the termination condition and only the former assert terminates the process if the byte following the bad encoding has the high bit cleared. This will lead to a read access out of bounds. The patch removes the assert and fixes the handling of bad encoding. Due to the new quoting the output of a badly encoded utf-8 string will be different than in previous versions. Replacing sprintf is only for cosmetic reasons. Use "gpgsm --verify FILE" to exhibit the problem. FILE is -----BEGIN PGP ARMORED FILE----- MDAGCSqGSIb3DQEHAqCAMDACAQExDzANBgkwMDAwMDAwMDAwADCABgkwMDAwMDAw MDAAMDEwAgEwMDAwMDEwMDAGA1UEAwwB/4AwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw =NJTr -----END PGP ARMORED FILE----- Reported-by: Hanno Böck Signed-off-by: Werner Koch --- src/dn.c | 44 +++++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/src/dn.c b/src/dn.c index 4fab689..d207bf0 100644 --- a/src/dn.c +++ b/src/dn.c @@ -260,7 +260,7 @@ append_quoted (struct stringbuf *sb, const unsigned char *value, size_t length, n += skip; if ( *s < ' ' || *s > 126 ) { - sprintf (tmp, "\\%02X", *s); + snprintf (tmp, sizeof tmp, "\\%02X", *s); put_stringbuf_mem (sb, tmp, 3); } else @@ -300,7 +300,6 @@ append_utf8_value (const unsigned char *value, size_t length, length--; } - /* FIXME: check that the invalid encoding handling is correct */ for (s=value, n=0;;) { for (value = s; n < length && !(*s & 0x80); n++, s++) @@ -309,8 +308,9 @@ append_utf8_value (const unsigned char *value, size_t length, append_quoted (sb, value, s-value, 0); if (n==length) return; /* ready */ - assert ((*s & 0x80)); - if ( (*s & 0xe0) == 0xc0 ) /* 110x xxxx */ + if (!(*s & 0x80)) + nmore = 0; /* Not expected here: high bit not set. */ + else if ( (*s & 0xe0) == 0xc0 ) /* 110x xxxx */ nmore = 1; else if ( (*s & 0xf0) == 0xe0 ) /* 1110 xxxx */ nmore = 2; @@ -320,21 +320,31 @@ append_utf8_value (const unsigned char *value, size_t length, nmore = 4; else if ( (*s & 0xfe) == 0xfc ) /* 1111 110x */ nmore = 5; - else /* invalid encoding */ - nmore = 5; /* we will reduce the check length anyway */ - - if (n+nmore > length) - nmore = length - n; /* oops, encoding to short */ + else /* Invalid encoding */ + nmore = 0; - tmp[0] = *s++; n++; - for (i=1; i <= nmore; i++) + if (!nmore) { - if ( (*s & 0xc0) != 0x80) - break; /* invalid encoding - stop */ - tmp[i] = *s++; - n++; + /* Encoding error: We quote the bad byte. */ + snprintf (tmp, sizeof tmp, "\\%02X", *s); + put_stringbuf_mem (sb, tmp, 3); + s++; n++; + } + else + { + if (n+nmore > length) + nmore = length - n; /* Oops, encoding to short */ + + tmp[0] = *s++; n++; + for (i=1; i <= nmore; i++) + { + if ( (*s & 0xc0) != 0x80) + break; /* Invalid encoding - let the next cycle detect this. */ + tmp[i] = *s++; + n++; + } + put_stringbuf_mem (sb, tmp, i); } - put_stringbuf_mem (sb, tmp, i); } } @@ -618,7 +628,7 @@ append_atv (const unsigned char *image, AsnNode root, struct stringbuf *sb) for (i=0; i < node->len; i++) { char tmp[3]; - sprintf (tmp, "%02X", image[node->off+node->nhdr+i]); + snprintf (tmp, sizeof tmp, "%02X", image[node->off+node->nhdr+i]); put_stringbuf (sb, tmp); } break; -- 2.8.0.rc3 debian/patches/CVE-2016-4579.patch0000664000000000000000000001105312715345402013254 0ustar From a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 3 May 2016 14:10:04 +0200 Subject: [PATCH] Fix possible read access beyond the buffer. * src/ber-help.c (_ksba_ber_parse_tl): Add extra sanity check. * src/cert.c (ksba_cert_get_cert_policies): Check TLV given length against buffer length. (ksba_cert_get_ext_key_usages): Ditto. * src/ocsp.c (parse_asntime_into_isotime): Ditto. -- The returned length of the object from _ksba_ber_parse_tl (ti.length) was not always checked against the actual buffer length, thus leading to a read access after the end of the buffer and thus a segv. GnuPG-bug-id: 2344 Reported-by: Pascal Cuoq Signed-off-by: Werner Koch --- src/ber-help.c | 6 ++++++ src/cert.c | 23 ++++++++++++++++++++++- src/name.c | 2 +- src/ocsp.c | 2 ++ 4 files changed, 31 insertions(+), 2 deletions(-) Index: libksba-1.3.0/src/ber-help.c =================================================================== --- libksba-1.3.0.orig/src/ber-help.c 2016-05-13 08:39:26.754709977 -0400 +++ libksba-1.3.0/src/ber-help.c 2016-05-13 08:39:26.750709987 -0400 @@ -285,9 +285,15 @@ ti->buf[ti->nhdr++] = c; len |= c & 0xff; } + /* Sanity check for the length: This is done so that we can take + * the value for malloc plus some additional bytes without + * risking an overflow. */ + if (len > (1 << 30)) + return gpg_error (GPG_ERR_BAD_BER); ti->length = len; } + /* Without this kludge some example certs can't be parsed */ if (ti->class == CLASS_UNIVERSAL && !ti->tag) ti->length = 0; Index: libksba-1.3.0/src/cert.c =================================================================== --- libksba-1.3.0.orig/src/cert.c 2016-05-13 08:39:26.754709977 -0400 +++ libksba-1.3.0/src/cert.c 2016-05-13 08:39:26.750709987 -0400 @@ -1337,9 +1337,15 @@ err = gpg_error (GPG_ERR_NOT_DER_ENCODED); goto leave; } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } if (!ti.length) { - err = gpg_error (GPG_ERR_INV_CERT_OBJ); /* no empty inner SEQ */ + /* We do not accept an empty inner SEQ */ + err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } if (ti.nhdr+ti.length > seqlen) @@ -1358,6 +1364,11 @@ err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } if (ti.nhdr+ti.length > seqseqlen) { err = gpg_error (GPG_ERR_BAD_BER); @@ -1460,6 +1471,16 @@ err = gpg_error (GPG_ERR_INV_CERT_OBJ); goto leave; } + if (ti.ndef) + { + err = gpg_error (GPG_ERR_NOT_DER_ENCODED); + goto leave; + } + if (ti.length > derlen) + { + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } suboid = ksba_oid_to_str (der, ti.length); if (!suboid) Index: libksba-1.3.0/src/name.c =================================================================== --- libksba-1.3.0.orig/src/name.c 2016-05-13 08:39:26.754709977 -0400 +++ libksba-1.3.0/src/name.c 2016-05-13 08:39:26.750709987 -0400 @@ -113,7 +113,7 @@ *r_name = NULL; - /* count and check for encoding errors - we won;t do this again + /* Count and check for encoding errors - we won't do this again during the second pass */ der = image; derlen = imagelen; Index: libksba-1.3.0/src/ocsp.c =================================================================== --- libksba-1.3.0.orig/src/ocsp.c 2016-05-13 08:39:26.754709977 -0400 +++ libksba-1.3.0/src/ocsp.c 2016-05-13 08:39:26.750709987 -0400 @@ -231,6 +231,8 @@ && (ti.tag == TYPE_UTC_TIME || ti.tag == TYPE_GENERALIZED_TIME) && !ti.is_constructed) ) err = gpg_error (GPG_ERR_INV_OBJ); + else if (ti.length > *len) + err = gpg_error (GPG_ERR_INV_BER); else if (!(err = _ksba_asntime_to_iso (*buf, ti.length, ti.tag == TYPE_UTC_TIME, isotime))) parse_skip (buf, len, &ti); debian/copyright0000664000000000000000000000725112246650452011136 0ustar This package was debianized by Marcus Brinkmann on Thu, 25 Jul 2002 21:50:21 +0200. It was later taken over by Matthias Urlichs , and is now maintained by Andreas Metzler , Eric Dorland , James Westby , Peter Eisentraut It was downloaded from http://ftp.gnupg.org/GnuPG/libksba/. Upstream Authors: g10 Code GmbH and Fabio Fiorina. Copyright: | Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2010, 2011 | 2012 g10 Code GmbH | Copyright (C) 2001, 2002, 2003, 2007 Free Software Foundation, Inc. | Copyright (C) 2000, 2001 Fabio Fiorina The library and the header files are distributed under the following terms (LGPLv3+/GPLv2+): | KSBA is free software; you can redistribute it and/or modify | it under the terms of either | | - the GNU Lesser General Public License as published by the Free | Software Foundation; either version 3 of the License, or (at | your option) any later version. | | or | | - the GNU General Public License as published by the Free | Software Foundation; either version 2 of the License, or (at | | or both in parallel, as here. | | KSBA is distributed in the hope that it will be useful, but WITHOUT | ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public | License for more details. The other parts (e.g. manual, build system, tests) are distributed under the following terms (GPLv3): | KSBA is free software; you can redistribute it and/or modify | it under the terms of the GNU General Public License as published by | the Free Software Foundation; either version 3 of the License, or | (at your option) any later version. | | KSBA is distributed in the hope that it will be useful, | but WITHOUT ANY WARRANTY; without even the implied warranty of | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | GNU General Public License for more details. The ASN.1 definition for CMS is based on a specification published under the following terms (see src/cms.asn): | Copyright (C) The Internet Society (1999). All Rights Reserved. | | This document and translations of it may be copied and furnished to | others, and derivative works that comment on or otherwise explain it | or assist in its implementation may be prepared, copied, published | and distributed, in whole or in part, without restriction of any | kind, provided that the above copyright notice and this paragraph are | included on all such copies and derivative works. However, this | document itself may not be modified in any way, such as by removing | the copyright notice or references to the Internet Society or other | Internet organizations, except as needed for the purpose of | developing Internet standards in which case the procedures for | copyrights defined in the Internet Standards process must be | followed, or as required to translate it into languages other than | English. | | The limited permissions granted above are perpetual and will not be | revoked by the Internet Society or its successors or assigns. | | This document and the information contained herein is provided on an | "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING | TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING | BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION | HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF | MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. On Debian systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-3'. debian/libksba-dev.info0000664000000000000000000000004112246650452012231 0ustar debian/tmp/usr/share/info/*info* debian/watch0000664000000000000000000000017012256024242010216 0ustar version=3 opts=pasv,pgpsigurlmangle=s/$/.sig/ \ ftp://ftp.gnupg.org/GnuPG/libksba/libksba-(.*)\.tar\.bz2 debian uupdate debian/libksba8.docs0000664000000000000000000000002412256023773011544 0ustar NEWS README AUTHORS debian/libksba-dev.install0000664000000000000000000000013712246650452012752 0ustar usr/include/* usr/lib/*/lib*.a usr/lib/*/lib*.so usr/share/aclocal/ksba.m4 usr/bin/ksba-config debian/upstream-signing-key.pgp0000664000000000000000000001310012256024152013754 0ustar  M-ҥ_r̐?;&)aخSBMQ:O6\Y0 Ce(YXBۖo}`k%9¢>+ JEU@y``l")|7):ΞUOrPFM1:pC$cEcNܿ. f,K%"ؽLxk0@~WmOH h'P3*kkczᆠ+I]!Werner Koch (dist sig)>(M- ݟ   $9O%>SOU*3>cEI׫NlN7EGMO4IvRLXQijOk]ST¡0S ??PZPKד+D̠&;[2*W^\yvo`:Ӌ>Y̻Cl "ZJ~wMQϻo_/MVA]\vs``y]J/jnMT3:&h^3f/JʈM- S 0FO# V:_x6Utc;ЭP" ᥒN ٓ@Z␳ݸpɱ!V'f(&>/r;c2[-ƽ,BS :~Gsy [1eV꯬D^ObMɟiA_! -jm5W&\w8c3 H<^q+ӮSs,jasM Ƒ F0J\=C nW-e 1kj8L6KLFR*(W󠭮iC,/{sHA[|8Tu쥹 *C;9ÖltGa:ZTMk]f WzDS C1](d嚵"l=pB^Sq"<`%AݪKo)!`NgQ1u=Ne]{-㱸qf4_kvrrK!¨4d>uЈx&N&Z^PyAbd.eܿC#" ՘ Em@Єg{ËQT.cմ(kx\0^>@֑&6uKqII%aztׅBO;j(ϽtEU<%W5F] L=r:Ȇ|7VArMz&Z8uGz0Wܞ3`&hFVq UZ3=|w*qVٮ m` $JbݡAjFe+|L3|m/t N2pUf^X*%iu锡 <)at𬃉PL w'uE g jjq|B"S 5q$߬3$@v޿CBX*WO'g j} #)-) /y `׉ǩࢴ׶'Ȑ,_r0QD h4V#lyYD説2Ь͍uAnT\(&E}6VWm::|vG*i8R]ۉ6lػ^g\\4 !dW-3)j,? Dc3M*cJށA_GpC[RH0LK`k7P\TpMVipZH /n`r9!1*%΀lSsKvv" 1 NW FXs =Xp(kqsNZ؀Spea60#jt@(*W [y6Z!&\&l՚ WG xzԘ>9 FZo7Aˉ#τ c KGw`D†N ?G?xnmJLf-Q)=D%DU PHFw:2o!C4 xIK9;_6`TpHg -_ jxN]J>PkĜp!&k&k{Kjm򂍞XZOD,tZ{ikmeXAAW",BwF>SKвWP할X_9rM" R~y9xX&k$"r\%"|+'fanCplvX3Cĺ~9"a^O1%FA_BW} l@yy9HbE.UCm{gSb~#P2,mN7פ_o?ڒAnM RaM:Uխx~ǫWlT̓Kd{–dc01Uqsv.Ir. o VH2ebUFPF?6 "Dj-53֛6{Xiy<125R &ΡBӝ};N*R);{~U,TKd |y[3o sAR"5`#Ʈ/H׷ ֕vC݄=84X?OeM\YGDG!n8 4*6do` tV.!gWR|y{m{$ybY va 3r0t->s6<0+8kQ W1 C^QK c10smBv<| 5$6lB%RS+:ױdqKHZHOw'*P, cd`Z|@x꬀(YQ싺7 [aE[Qܷԅ011g j59J̝`դGryRI#Ǹ)H>!(bj&7;a7\[QN!Q wwD('f~HpOJ"lG/p(p1\sBh/)a *'i=J 9YHF,'\J9u;ʞC'*E c H⡌ RCowyN+kd^n gIO'6smաДSɕ*jGx]VuT3q4^(Js^b\D6⩃SP-r-D~􀌉R}  ;er`<;wvy$bQם/}`A?)ӃT+GDT| ɪuQsx܇<]W/m=Hu0ڟJM[ 1cH`oCѹZbnƠRKdCVT,UX tRek:.ƥdid{USvX0МʼnQu  =o %;v ;YGX!j !eDk+0C%LA8;cltcP r&GٛL(27m N,%m+gTTaK*VYG|!מEUJCߋʕO}U^{Z)B:HsӵA*.hPm[9F/:q8مrzuѭNTQÓ`&-6 JrIJ^/ (Z?M8$ :㉎&%!m,һj Q %Zg/K)9=ULVl2 UWha}F6z-8w'ȸY({G AP%M-  ݟ $9O%㶻6Ɛ=b oIz /Eh|˜2c7Ri@aL]r?o e# 4>P쩉X^@.KlF{_Xw6&G 2; -9aVxֽCi˭et!˖B]f另ō~삈M- S 0FO# V:_x6Utc;ЭP"= 1.2.0)" %: dh $@ --parallel --with autoreconf debian/ksba-config.10000664000000000000000000000132012246650452011437 0ustar .TH KSBA-CONFIG 1 "Dec 5, 2001" "libksba" .SH NAME ksba-config \- print libksba library configuration information .SH SYNOPSIS .B "ksba-config" [\-\-prefix] [\-\-exec-prefix] [\-\-version] [\-\-libs] [\-\-cflags] .SH DESCRIPTION This prints out various configuration information for the ksba library. It is useful for application building and packaging procedures. .SH OPTIONS .TP .I \-\-version Show version number. .TP .I \-\-prefix Outputs the prefix used to install libksba. .TP .I \-\-exec-prefix Outputs the exec-prefix used to install libksba. .TP .I \-\-cflags Outputs include flags for the C compiler. .TP .I \-\-libs Outputs library flags for the linker. .SH AUTHOR Matthias Urlichs