Bugzilla – Bug 929414
VUL-1: CVE-2015-3622: libtasn1, gnutls: invalid read in octet string decoding
Last modified: 2019-05-01 16:47:02 UTC
Created attachment 633053 [details] reproducer certificate from https://crashes.fuzzing-project.org/TFPA-2015-005-libtasn1-4.4-heap-overflow.crt via oss-sec: http://seclists.org/oss-sec/2015/q2/315 > https://blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html > > While fuzzing GnuTLS I discovered a malformed certificate input sample > that would cause a heap overflow read of 99 bytes in the DER decoding > functions of Libtasn1. The heap overflow happens in the function > _asn1_extract_der_octet(). > > This issue was reported to the Libtasn1 developer on 16th April. A fix > was committed on 20th April and is part of the Libtasn1 4.5 release. > This issue was found with american fuzzy lop and address sanitizer. > > http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=f979435823a02f842c41d49cd41cc81f25b5d677 > Git commit / fix > > https://lists.gnu.org/archive/html/help-libtasn1/2015-04/msg00000.html > Libtasn1 4.5 release notes > > https://crashes.fuzzing-project.org/TFPA-2015-005-libtasn1-4.4-heap-overflow.crt > Sample malformed certificate exposing heap overflow (test with > certtool -i --inder --infile=[sample] and address sanitizer or > valgrind) Goes together with bug 924828. As per bug 924828 comment 5, gnutls bundles libtasn1 in SLE 11. (--with-included-libtasn1) References: https://blog.fuzzing-project.org/9-Heap-overflow-invalid-read-in-Libtasn1-TFPA-0052015.html http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=f979435823a02f842c41d49cd41cc81f25b5d677 https://lists.gnu.org/archive/html/help-libtasn1/2015-04/msg00000.html
bugbot adjusting priority
Created attachment 633086 [details] patch backported to 3.7 branch
Failing to reproduce this over-read with sample certificate on SLE 11 SP3, SLE 12 and openSUSE 13.2 (GA and updated), with valgrind or ASAN.
The reproducer if failing. The affected code would be in libtasn1 on SLE 12. The bundled libtasn1 in gnutls on SLE 11 and earlier is not affected. The plain libtasn1 on SLE 11 has the affected code.
This is an autogenerated message for OBS integration: This bug (929414) was mentioned in https://build.opensuse.org/request/show/320166 13.2+13.1 / gnutls
As gnome-maintainers seems to not exist anymore as a BZ login... We also need libtasn1 submits on this issue. Its marked as VUL-1, so Factory would suffice. If other pending updates could be combined with this one, we can also use this one as a trigger to go.
Ismail, can you take this ...
(In reply to Sebastian Krahmer from comment #9) > As gnome-maintainers seems to not exist anymore as a BZ login... > > We also need libtasn1 submits on this issue. Its marked as VUL-1, > so Factory would suffice. If other pending updates could be combined with > this one, we can also use this one as a trigger to go. Factory contains libtasn1 4.5 so its not vulnerable. SUSE:SLE-12:Update/libtasn1 and SUSE:SLE-11-SP1:Update/libtasn1 also contains the fix. So there is nothing left to fix here for libtasn1.
What about sle11-sp3 and sle11-sp1-TD?
(In reply to Sebastian Krahmer from comment #12) > What about sle11-sp3 and sle11-sp1-TD? I think SUSE:SLE-11-SP1:Update/libtasn1 also applies to SP3 codebase, adding NEEDINFO maintenance@suse.de to be sure. sle11-sp1-TD is I have no idea, whats the update project for it?
So, I think there is nothing else to fix here.
openSUSE-SU-2015:1372-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 929414,929690 CVE References: CVE-2015-3622 Sources used: openSUSE 13.2 (src): gnutls-3.2.18-11.1 openSUSE 13.1 (src): gnutls-3.2.4-2.35.1
SUSE-SU-2015:1518-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 929414,929690,941794 CVE References: CVE-2015-3622,CVE-2015-6251 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): gnutls-3.2.15-11.1 SUSE Linux Enterprise Server 12 (src): gnutls-3.2.15-11.1 SUSE Linux Enterprise Desktop 12 (src): gnutls-3.2.15-11.1
This is an autogenerated message for OBS integration: This bug (929414) was mentioned in https://build.opensuse.org/request/show/399983 13.2 / libtasn1
openSUSE-SU-2016:1567-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 929414,961491,982779 CVE References: CVE-2015-3622,CVE-2016-4008 Sources used: openSUSE 13.2 (src): libtasn1-3.7-2.7.1
SUSE-SU-2016:1600-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 929414,961491,982779 CVE References: CVE-2015-3622,CVE-2016-4008 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libtasn1-1.5-1.34.1 SUSE Linux Enterprise Server 11-SP4 (src): libtasn1-1.5-1.34.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libtasn1-1.5-1.34.1
SUSE-SU-2016:1601-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 929414,961491,982779 CVE References: CVE-2015-3622,CVE-2016-4008 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libtasn1-3.7-11.1 SUSE Linux Enterprise Software Development Kit 12 (src): libtasn1-3.7-11.1 SUSE Linux Enterprise Server 12-SP1 (src): libtasn1-3.7-11.1 SUSE Linux Enterprise Server 12 (src): libtasn1-3.7-11.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libtasn1-3.7-11.1 SUSE Linux Enterprise Desktop 12 (src): libtasn1-3.7-11.1
openSUSE-SU-2016:1674-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 929414,961491,982779 CVE References: CVE-2015-3622,CVE-2016-4008 Sources used: openSUSE Leap 42.1 (src): libtasn1-3.7-12.1
Fixed.