From the package Changelog: libtasn1 version 2.12 was released fixing the following issue: - Corrected DER decoding issue (reported by Matthew Hall). Added self check to detect the problem, see tests/Test_overflow.c. This problem can lead to at least remotely triggered crashes, see further analysis on the libtasn1 mailing list.
@crypto: can 2.12 go to stable?
(In reply to comment #1) > @crypto: > > can 2.12 go to stable? Sure, go ahead.
Arches, please test and mark stable: =dev-libs/libtasn1-2.12 Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
alpha/arm/ia64/m68k/s390/sh/sparc stable
ppc done
CVE-2012-1569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1569): The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.
ppc64 done
Thanks, folks. GLSA Vote: Yes.
YES too, request filed.
This issue was resolved and addressed in GLSA 201209-12 at http://security.gentoo.org/glsa/glsa-201209-12.xml by GLSA coordinator Sean Amoss (ackle).
