PublicDateAtUSN: 2016-04-29
Candidate: CVE-2016-4354
PublicDate: 2016-06-13 19:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4354
 http://www.openwall.com/lists/oss-security/2015/04/13/5
 http://www.openwall.com/lists/oss-security/2016/04/29/5
 https://ubuntu.com/security/notices/USN-2982-1
Description:
 ber-decoder.c in Libksba before 1.3.3 uses an incorrect integer data type,
 which allows remote attackers to cause a denial of service (crash) via
 crafted BER data, which leads to a buffer overflow.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Hanno Böck
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_libksba:
 upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=aea7b6032865740478ca4b706850a5217f1c3887
upstream_libksba: released (1.3.3-1)
precise_libksba: released (1.2.0-2ubuntu0.2)
trusty_libksba: released (1.3.0-3ubuntu0.14.04.2)
trusty/esm_libksba: DNE (trusty was released [1.3.0-3ubuntu0.14.04.2])
vivid/stable-phone-overlay_libksba: DNE
vivid/ubuntu-core_libksba: DNE
wily_libksba: not-affected (1.3.3-1)
xenial_libksba: not-affected
esm-infra/xenial_libksba: not-affected
devel_libksba: not-affected