924828 – (CVE-2015-2806) VUL-0: CVE-2015-2806: libtasn1, gnutls: two-byte stack overflow in asn1_der_decoding

Bug 924828 (CVE-2015-2806) - VUL-0: CVE-2015-2806: libtasn1, gnutls: two-byte stack overflow in asn1_der_decoding

Summary: VUL-0: CVE-2015-2806: libtasn1, gnutls: two-byte stack overflow in asn1_der_d...

Status:	RESOLVED FIXED

Alias:	CVE-2015-2806

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2015-12-16
Assignee:	Michael Gorse
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:61632 CVSSv2...
Keywords:

Depends on:
Blocks:	969208
	Show dependency tree / graph

Clone This Bug

Reported:	2015-03-29 17:02 UTC by Andreas Stieger
Modified:	2019-04-17 22:43 UTC (History)
CC List:	10 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
upstream patch (1.54 KB, patch) 2015-03-29 17:02 UTC, Andreas Stieger	Details \| Diff
reproducer data (107 bytes, text/plain) 2015-03-30 09:35 UTC, Andreas Stieger	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-03-29 17:02:32 UTC

Created attachment 629095 [details]
upstream patch

libtasn1-4.4 contained the following fix:
* Noteworthy changes in release 4.4 (released 2015-03-29) [stable]
- Corrected a two-byte stack overflow in asn1_der_decoding. Reported
  by Hanno Böck.


From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Thu, 26 Mar 2015 17:34:57 +0000 (+0100)
Subject: increased size of LTOSTR_MAX_SIZE to account for sign and null byte
X-Git-Tag: libtasn1_4_4~3
X-Git-Url: http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff_plain;h=4d4f992826a4962790ecd0cce6fbba4a415ce149;hp=77068c35a32cc31ba6b3af257921ca90696c7945

increased size of LTOSTR_MAX_SIZE to account for sign and null byte

This address an overflow found by Hanno Böck in DER decoding.
---

diff --git a/lib/parser_aux.c b/lib/parser_aux.c
index d3e9009..da9a388 100644
--- a/lib/parser_aux.c
+++ b/lib/parser_aux.c
@@ -543,7 +543,7 @@ _asn1_delete_list_and_nodes (void)
 
 
 char *
-_asn1_ltostr (long v, char *str)
+_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE])
 {
   long d, r;
   char temp[LTOSTR_MAX_SIZE];
@@ -567,7 +567,7 @@ _asn1_ltostr (long v, char *str)
       count++;
       v = d;
     }
-  while (v);
+  while (v && ((start+count) < LTOSTR_MAX_SIZE-1));
 
   for (k = 0; k < count; k++)
     str[k + start] = temp[start + count - k - 1];
diff --git a/lib/parser_aux.h b/lib/parser_aux.h
index 55d9061..437f1c8 100644
--- a/lib/parser_aux.h
+++ b/lib/parser_aux.h
@@ -52,8 +52,9 @@ void _asn1_delete_list (void);
 
 void _asn1_delete_list_and_nodes (void);
 
-#define LTOSTR_MAX_SIZE 20
-char *_asn1_ltostr (long v, char *str);
+/* Max 64-bit integer length is 20 chars + 1 for sign + 1 for null termination */
+#define LTOSTR_MAX_SIZE 22
+char *_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE]);
 
 asn1_node _asn1_find_up (asn1_node node);
 



CVE requested: http://seclists.org/oss-sec/2015/q1/1038

Comment 1 Bernhard Wiedemann 2015-03-29 20:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (924828) was mentioned in
https://build.opensuse.org/request/show/293643 Factory / libtasn1

Comment 2 Swamp Workflow Management 2015-03-29 22:00:13 UTC

bugbot adjusting priority

Comment 3 Andreas Stieger 2015-03-30 09:35:06 UTC

Created attachment 629150 [details]
reproducer data

Initial upstream mailing list report:
http://lists.gnu.org/archive/html/help-libtasn1/2015-01/msg00000.html

[[[
Attached is a malformed asn1 definition that causes a segfault in
libtasn1. To test: asn1Decoding segf.asn x x

Address Sanitizer trace:
==472==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
(pc 0x7fe4db0d256a sp 0x7fffe42ef2a8 bp 0x7fffe42ef2e0 T0) #0
0x7fe4db0d2569 in strlen (/lib64/libc.so.6+0x82569) #1 0x7fe4db41dcb5
in strlen (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x32cb5)
#2 0x43df3c in
_asn1_expand_object_id /tmp/libtasn1-4.2/lib/parser_aux.c:704 #3
0x4123f8 in asn1_parser2tree /tmp/libtasn1-4.2/lib/ASN1.y:704 #4
0x403183 in main /tmp/libtasn1-4.2/src/asn1Decoding.c:142 #5
0x7fe4db06ff9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f) #6
0x4049f1 (/tmp/libtasn1-4.2/src/asn1Decoding+0x4049f1)

Please note: This is only in the asn1 definition parser, not in the
asn1 parser itself, so the impact is probably minor. Still it should
probably be fixed.

Found with the help of american fuzzy lop.
]]]

Test on openSUSE 13.2 with 4.3:

$ asn1Decoding 924828-repro-0.bin x x
924828-repro-0.bin:3: Warning: NumericString is a built-in ASN.1 type.
Segmentation fault

Comment 4 Swamp Workflow Management 2015-03-30 15:42:18 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61389

Comment 5 Andreas Stieger 2015-03-30 15:55:39 UTC

gnutls bundles libtasn1 in some versions:

SLE 12:
BuildRequires:  libtasn1-devel >= 2.14, not affected

SLE 11 and earlier:
--with-included-libtasn1 affected

Comment 6 Andreas Stieger 2015-03-31 06:27:06 UTC

CVE id assigned
http://seclists.org/oss-sec/2015/q1/1060

Comment 8 Marcus Meissner 2015-04-24 15:35:41 UTC

submitted libtasn1 for 11 and 12, and opensuse

Comment 9 Marcus Meissner 2015-04-24 15:37:02 UTC

assign to viteslav for gnutls

Comment 13 Swamp Workflow Management 2015-05-12 15:05:20 UTC

openSUSE-SU-2015:0854-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 924828
CVE References: CVE-2015-2806
Sources used:
openSUSE 13.2 (src):    libtasn1-3.7-2.4.1
openSUSE 13.1 (src):    libtasn1-3.3-3.4.1

Comment 14 Swamp Workflow Management 2015-05-18 17:12:20 UTC

SUSE-SU-2015:0901-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 924828
CVE References: CVE-2015-2806
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libtasn1-1.5-1.30.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libtasn1-1.5-1.30.1
SUSE Linux Enterprise Server 11 SP3 (src):    libtasn1-1.5-1.30.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libtasn1-1.5-1.30.1

Comment 16 Swamp Workflow Management 2015-05-19 09:05:22 UTC

SUSE-SU-2015:0904-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 924828
CVE References: CVE-2015-2806
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    libtasn1-3.7-4.1
SUSE Linux Enterprise Server 12 (src):    libtasn1-3.7-4.1
SUSE Linux Enterprise Desktop 12 (src):    libtasn1-3.7-4.1

Comment 17 Marcus Meissner 2015-12-02 13:23:21 UTC

does not seem to be fixed in gnutls.

Comment 18 SMASH SMASH 2015-12-02 13:30:27 UTC

An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 16, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121076/.

Comment 19 SMASH SMASH 2015-12-02 13:34:12 UTC

An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 16, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121076/.

Comment 20 Swamp Workflow Management 2015-12-02 13:35:32 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62360

Comment 21 Swamp Workflow Management 2015-12-02 13:37:49 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62361

Comment 22 Swamp Workflow Management 2015-12-02 13:39:29 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-12-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62362

Comment 28 Swamp Workflow Management 2016-01-11 19:11:47 UTC

SUSE-SU-2016:0077-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 924828,947271,957568
CVE References: CVE-2015-2806,CVE-2015-8313
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Server 11-SP4 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Server 11-SP3 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise High Availability Extension 11-SP4 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise High Availability Extension 11-SP3 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gnutls-2.4.1-24.39.60.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    gnutls-2.4.1-24.39.60.1

Comment 29 Michael Gorse 2016-01-11 19:54:14 UTC

There's an older commit, edaff4, that we need to fix this crash.

Comment 31 Andreas Stieger 2016-01-12 10:07:58 UTC

(In reply to Michael Gorse from comment #29)
> There's an older commit, edaff4, that we need to fix this crash.

The unfixed crash will be handled in bug 961491.

Comment 33 Tristan Ye 2016-02-05 07:07:36 UTC

Guys, have we fixed this issue for SLES 11SP1?