Summary: | <dev-libs/libtasn1-4.10-r2: asn1_find_node() based stackoverflow (CVE-2017-6891) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ian Zimmerman <nobrowser> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alonbl, crypto+disabled, jstein |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: |
dev-libs/libtasn1-4.10-r2
|
Runtime testing required: | --- |
Description
Ian Zimmerman
2017-05-25 15:32:03 UTC
Already in tree libtasn1-4.10-r2 we can stabilize. CVE-2017-6891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6891): Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. @ Arches, please test and mark stable: =dev-libs/libtasn1-4.10-r2 amd64 stable x86 stable ppc64 stable Stable on alpha. arm stable sparc stable ia64 stable ppc stable Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR arm64 done hppa stable This issue was resolved and addressed in GLSA 201710-11 at https://security.gentoo.org/glsa/201710-11 by GLSA coordinator Aaron Bauman (b-man). |