Bugzilla – Bug 924966
VUL-0: CVE-2012-1569: libtasn1: asn1_get_length_der() DER decoding issue
Last modified: 2015-03-30 15:17:36 UTC
Created attachment 629220 [details] minimal fix from http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54 Checking potentially missed issues in libtasn1 for bug 924828, found this one is still affecting libtasn1. bug 753301 fixed it for gnutls. CVE-2012-1569 The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure. We patches this for gnutls but it is also in libtasn1. Minimal fix, applies to 1.5 looking at the code: http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54 Announcement: http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/53 * Noteworthy changes in release 2.12 (2012-03-19) [stable] - Cleanup license headers. - build: Update gnulib files. - Corrected DER decoding issue (reported by Matthew Hall). Added self check to detect the problem, see tests/Test_overflow.c. This problem can lead to at least remotely triggered crashes, see further analysis on the libtasn1 mailing list. Upstream test case: http://git.savannah.gnu.org/cgit/libtasn1.git/tree/tests/Test_overflow.c References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569 http://www.cvedetails.com/cve/CVE-2012-1569/ https://bugzilla.redhat.com/show_bug.cgi?id=804920
The updated libtasn1 packages are 1.5 but 3.6 code with the 1.5 API/ABI. Already fixed.