Bugzilla – Bug 1040621
VUL-0: CVE-2017-6891: gnutls,libtasn1: asn1_find_node() based stackoverflow
Last modified: 2024-05-08 14:40:11 UTC
via cve db Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=5520704d075802df25ce4ffccc010ba1641bd484 https://secuniaresearch.flexerasoftware.com/advisories/76125/ https://secuniaresearch.flexerasoftware.com/secunia_research/2017-11/
https://lists.gnu.org/archive/html/help-libtasn1/2017-05/msg00002.html From: Nikos Mavrogiannopoulos Subject: libtasn1 issue [was: [Secunia Research] Libtasn1 Vulnerability Report] Date: Fri, 19 May 2017 18:02:12 +0200 Hi, I've dug a little further to the previously reported issue, and it seems there is an issue in asn1_find_node() if someone provides in calls like asn1_read_value() a name which contains more than 65 characters between two dots. That however I'd expect to be a very uncommon usage of libtasn1, which is typically something like: asn1_read_value(node, "tbsResponseData.responderID.byKey", data, &len); That is the name is provided as a constant from the developer and these names cannot be more than 64-variables in the '.asn' files parsed by libtasn1. I do not believe that the library can even cope with malicious input to that field as can be underlined by the bug. There will be a release in the following days including that fix, however, I'd appreciate a second pair of eyes on that issue and fix. The issue was fixed in: https://gitlab.com/gnutls/libtasn1/commit/55207 04d075802df25ce4ffccc010ba1641bd484 Two test cases were introduced at: https://gitlab.com/gnutls/libtasn1/commit/e43badf76307e1484fb257f271ff9a4f59258c7e https://gitlab.com/gnutls/libtasn1/commit/1273c97343c2070a28cfa1f1dd55599ca87106e2 regards, Nikos
Created attachment 726973 [details] foo.tmp QA REPRODUCER part 1: foo.tmp used in next comment
Created attachment 726974 [details] invalid-assignments2.txt QA REPRODUCER: asn1Coding foo.tmp invalid-assignments2.txt will cause memory corruption backtrace before. (if not shown, use with valgrind)
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-07-17. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63739
Reproducer is failing with updated gnutls packages. libgnutls26-32bit : 2.4.1-24.39.70.1 updated libgnutls-extra-devel : 2.4.1-24.39.70.1 updated gnutls : 2.4.1-24.39.70.1 updated libgnutls-devel : 2.4.1-24.39.70.1 updated libgnutls26 : 2.4.1-24.39.70.1 updated libgnutls-extra26 : 2.4.1-24.39.70.1 updated # asn1Coding foo.tmp invalid-assignments2.txt Parse: done. var=dp, value=PKIX1. var=, value= var=, value= var=, value= var=, value= var=QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ����QQQQQQQQQQQQ����QQQQQQQQQQQQ����IX!., value= *** buffer overflow detected ***: asn1Coding terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x4e)[0xb76bcf9e] /lib/libc.so.6(+0xf2eaa)[0xb76baeaa] /usr/lib/libtasn1.so.3(asn1_internal_find_node+0xd1)[0xb7751751] /usr/lib/libtasn1.so.3(asn1_internal_write_value+0x26)[0xb77500b6] asn1Coding[0x80491f7] /lib/libc.so.6(__libc_start_main+0xe5)[0xb75dec05] asn1Coding[0x8048cf1] ======= Memory map: ======== 08048000-0804c000 r-xp 00000000 fd:02 1975983 /usr/bin/asn1Coding 0804c000-0804d000 r--p 00003000 fd:02 1975983 /usr/bin/asn1Coding 0804d000-0804e000 rw-p 00004000 fd:02 1975983 /usr/bin/asn1Coding 0804e000-0806f000 rw-p 00000000 00:00 0 [heap] b7554000-b7570000 r-xp 00000000 fd:02 2032490 /lib/libgcc_s.so.1 b7570000-b7571000 r--p 0001b000 fd:02 2032490 /lib/libgcc_s.so.1 b7571000-b7572000 rw-p 0001c000 fd:02 2032490 /lib/libgcc_s.so.1 b75ab000-b75ad000 rw-p 00000000 00:00 0 b75ad000-b75c4000 r-xp 00000000 fd:02 2032462 /lib/libpthread-2.11.3.so b75c4000-b75c5000 r--p 00016000 fd:02 2032462 /lib/libpthread-2.11.3.so b75c5000-b75c6000 rw-p 00017000 fd:02 2032462 /lib/libpthread-2.11.3.so b75c6000-b75c8000 rw-p 00000000 00:00 0 b75c8000-b7734000 r-xp 00000000 fd:02 2032172 /lib/libc-2.11.3.so b7734000-b7736000 r--p 0016c000 fd:02 2032172 /lib/libc-2.11.3.so b7736000-b7737000 rw-p 0016e000 fd:02 2032172 /lib/libc-2.11.3.so b7737000-b773a000 rw-p 00000000 00:00 0 b773a000-b7742000 r-xp 00000000 fd:02 2032465 /lib/librt-2.11.3.so b7742000-b7743000 r--p 00007000 fd:02 2032465 /lib/librt-2.11.3.so b7743000-b7744000 rw-p 00008000 fd:02 2032465 /lib/librt-2.11.3.so b7744000-b7757000 r-xp 00000000 fd:02 2040089 /usr/lib/libtasn1.so.3.0.16 b7757000-b7758000 r--p 00013000 fd:02 2040089 /usr/lib/libtasn1.so.3.0.16 b7758000-b7759000 rw-p 00014000 fd:02 2040089 /usr/lib/libtasn1.so.3.0.16 b7791000-b7793000 rw-p 00000000 00:00 0 b7793000-b77b2000 r-xp 00000000 fd:02 2032216 /lib/ld-2.11.3.so b77b2000-b77b3000 r--p 0001e000 fd:02 2032216 /lib/ld-2.11.3.so b77b3000-b77b4000 rw-p 0001f000 fd:02 2032216 /lib/ld-2.11.3.so bfe29000-bfe4a000 rw-p 00000000 00:00 0 [stack] ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso] Aborted #
# rpm -qf /usr/bin/asn1Coding libtasn1-1.5-1.34.1 The reproducer isn't working with gnutls code at all, only with libtasn1. Someone has to fix libtasn1, see comment #8. SLE-11 GnuTLS uses the bundled minitasn1 only for the openssl compatibility library.
SUSE-SU-2017:1886-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1034173,1038337,1040621 CVE References: CVE-2017-6891,CVE-2017-7869 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gnutls-2.4.1-24.39.70.1 SUSE Linux Enterprise Server 11-SP4 (src): gnutls-2.4.1-24.39.70.1 SUSE Linux Enterprise High Availability Extension 11-SP4 (src): gnutls-2.4.1-24.39.70.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gnutls-2.4.1-24.39.70.1
we still need fixes for libtasn1 for this bug.
SUSE-SU-2019:1379-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1040621,1105435 CVE References: CVE-2017-6891,CVE-2018-1000654 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libtasn1-4.9-3.10.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libtasn1-4.9-3.10.1 SUSE Linux Enterprise Server 12-SP4 (src): libtasn1-4.9-3.10.1 SUSE Linux Enterprise Server 12-SP3 (src): libtasn1-4.9-3.10.1 SUSE Linux Enterprise Desktop 12-SP4 (src): libtasn1-4.9-3.10.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libtasn1-4.9-3.10.1 SUSE CaaS Platform ALL (src): libtasn1-4.9-3.10.1 SUSE CaaS Platform 3.0 (src): libtasn1-4.9-3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1510-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1040621,1105435 CVE References: CVE-2017-6891,CVE-2018-1000654 Sources used: openSUSE Leap 42.3 (src): libtasn1-4.9-6.1
SUSE-SU-2022:3797-1: An update that fixes three vulnerabilities is now available. Category: security (critical) Bug References: 1040621,1105435,1204690 CVE References: CVE-2017-6891,CVE-2018-1000654,CVE-2021-46848 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): libtasn1-3.7-13.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.