$OpenBSD: patch-src_cert_c,v 1.1 2016/07/01 07:40:23 jasper Exp $

CVE-2016-4579
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=commit;h=a7eed17a0b2a1c09ef986f3b4b323cd31cea2b64

--- src/cert.c.orig	Tue Apr 15 21:37:19 2014
+++ src/cert.c	Thu Jun 30 15:58:00 2016
@@ -1335,9 +1335,15 @@ ksba_cert_get_cert_policies (ksba_cert_t cert, char **
                   err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
                   goto leave;
                 }
+              if (ti.length > derlen)
+                {
+                  err = gpg_error (GPG_ERR_BAD_BER);
+                  goto leave;
+                }
               if (!ti.length)
                 {
-                  err = gpg_error (GPG_ERR_INV_CERT_OBJ); /* no empty inner SEQ */
+                  /* We do not accept an empty inner SEQ */
+                  err = gpg_error (GPG_ERR_INV_CERT_OBJ);
                   goto leave;
                 }
               if (ti.nhdr+ti.length > seqlen)
@@ -1356,6 +1362,11 @@ ksba_cert_get_cert_policies (ksba_cert_t cert, char **
                   err = gpg_error (GPG_ERR_INV_CERT_OBJ);
                   goto leave;
                 }
+              if (ti.length > derlen)
+                {
+                  err = gpg_error (GPG_ERR_BAD_BER);
+                  goto leave;
+                }
               if (ti.nhdr+ti.length > seqseqlen)
                 {
                   err = gpg_error (GPG_ERR_BAD_BER);
@@ -1456,6 +1467,16 @@ ksba_cert_get_ext_key_usages (ksba_cert_t cert, char *
               if ( !(ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_OBJECT_ID))
                 {
                   err = gpg_error (GPG_ERR_INV_CERT_OBJ);
+                  goto leave;
+                }
+              if (ti.ndef)
+                {
+                  err = gpg_error (GPG_ERR_NOT_DER_ENCODED);
+                  goto leave;
+                }
+              if (ti.length > derlen)
+                {
+                  err = gpg_error (GPG_ERR_BAD_BER);
                   goto leave;
                 }
 
