| Summary: | <dev-libs/libtasn1-4.8: infinite loop while parsing DER certificates | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alonbl, crypto+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1325965 | ||
| Whiteboard: | A3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
I believe we can stabilize. Stabilise what? (In reply to Jeroen Roovers from comment #2) > Stabilise what? Sorry :) dev-libs/libtasn1-4.8 Stable for HPPA PPC64. arm stable alpha stable stable ping x86 stable ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. @amd64 got skipped somehow. Please stabilize: =dev-libs/libtasn1-4.8 amd64 stable. Maintainer(s), please cleanup. GLSA request filed. This issue was resolved and addressed in GLSA 201703-05 at https://security.gentoo.org/glsa/201703-05 by GLSA coordinator Yury German (BlueKnight). |
From ${URL} : The libtasn1 library, in its 4.7 version, can loop for a long time or indefinitely when it is used to parse DER representations of X509 certificates, leading to a denial of service. Some of these loops may in addition increase heap or stack usage, leading to more issues. References (with reproducer): http://seclists.org/oss-sec/2016/q2/51 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.