Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 409031 (CVE-2012-1569)

Summary: <dev-libs/libtasn1-2.12 : DoS (CVE-2012-1569)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: crypto+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-03-20 16:52:06 UTC 
From the package Changelog:

libtasn1 version 2.12 was released fixing the following issue:

  - Corrected DER decoding issue (reported by Matthew Hall).
    Added self check to detect the problem, see tests/Test_overflow.c.
    This problem can lead to at least remotely triggered crashes, see
    further analysis on the libtasn1 mailing list.
Comment 1 Agostino Sarubbo gentoo-dev 2012-03-20 16:52:42 UTC 
@crypto:

can 2.12 go to stable?
Comment 2 Tim Harder gentoo-dev 2012-03-21 16:52:06 UTC 
(In reply to comment #1)
> @crypto:
> 
> can 2.12 go to stable?

Sure, go ahead.
Comment 3 Agostino Sarubbo gentoo-dev 2012-03-21 16:57:34 UTC 
Arches, please test and mark stable:
=dev-libs/libtasn1-2.12
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-03-22 12:09:32 UTC 
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2012-03-23 10:29:14 UTC 
amd64 stable
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-24 17:21:24 UTC 
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-03-24 19:34:48 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-03-25 13:53:04 UTC 
ppc done
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-03-28 11:17:09 UTC 
CVE-2012-1569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1569):
  The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12,
  as used in GnuTLS before 3.0.16 and other products, does not properly handle
  certain large length values, which allows remote attackers to cause a denial
  of service (heap memory corruption and application crash) or possibly have
  unspecified other impact via a crafted ASN.1 structure.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-03-28 20:12:22 UTC 
ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-03-28 23:28:01 UTC 
Thanks, folks. GLSA Vote: Yes.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:07:09 UTC 
YES too, request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-25 22:03:46 UTC 
This issue was resolved and addressed in
 GLSA 201209-12 at http://security.gentoo.org/glsa/glsa-201209-12.xml
by GLSA coordinator Sean Amoss (ackle).