A critical vulnerability (CVE-509-2022) has been identified in the LibKSBA library, developed by the GnuPG project and providing functions for working with X.3515 certificates, leading to an integer overflow and writing arbitrary data outside the allocated buffer when parsing ASN.1 structures used in S/MIME, X.509 and CMS. The problem is exacerbated by the fact that the Libksba library is used in the GnuPG package, and the vulnerability could lead to remote execution of attacker code when GnuPG (gpgsm) processes encrypted or signed data from files or email messages using S/MIME. In the simplest case, to attack a victim using a mail client that supports GnuPG and S/MIME, it is enough to send a specially formatted email.
The vulnerability could also be used to attack dirmngr servers that download and parse certificate revocation lists (CRLs) and verify certificates used in TLS. An attack on dirmngr can be carried out by a web server controlled by an attacker, through the return of specially crafted CRLs or certificates. It is noted that publicly available exploits for gpgsm and dirmngr have not yet been identified, but the vulnerability is typical and nothing prevents qualified attackers from preparing an exploit on their own.
The vulnerability was fixed in the Libksba 1.6.2 release and GnuPG 2.3.8 binary builds. On Linux distributions, the Libksba library is usually supplied as a separate dependency, but on Windows builds it is built into the main GnuPG installation package. After the update, do not forget to restart the background processes with the "gpgconf --kill all" command. To check for the presence of a problem in the output of the "gpgconf --show-versions" command, you can evaluate the icon of the "KSBA ...." line, which must indicate a version of at least 1.6.2.
Updates for distributions have not yet been released, but you can follow their appearance on the pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Arch, FreeBSD. The vulnerability is also present in the MSI and AppImage packages with GnuPG VS-Desktop and in Gpg4win.
Source: opennet.ru