Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 409031 (CVE-2012-1569) - <dev-libs/libtasn1-2.12 : DoS (CVE-2012-1569)
Summary: <dev-libs/libtasn1-2.12 : DoS (CVE-2012-1569)
Alias: CVE-2012-1569
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2012-03-20 16:52 UTC by Agostino Sarubbo
Modified: 2012-09-25 22:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-20 16:52:06 UTC
From the package Changelog:

libtasn1 version 2.12 was released fixing the following issue:

  - Corrected DER decoding issue (reported by Matthew Hall).
    Added self check to detect the problem, see tests/Test_overflow.c.
    This problem can lead to at least remotely triggered crashes, see
    further analysis on the libtasn1 mailing list.
Comment 1 Agostino Sarubbo gentoo-dev 2012-03-20 16:52:42 UTC

can 2.12 go to stable?
Comment 2 Tim Harder gentoo-dev 2012-03-21 16:52:06 UTC
(In reply to comment #1)
> @crypto:
> can 2.12 go to stable?

Sure, go ahead.
Comment 3 Agostino Sarubbo gentoo-dev 2012-03-21 16:57:34 UTC
Arches, please test and mark stable:
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-03-22 12:09:32 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2012-03-23 10:29:14 UTC
amd64 stable
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-24 17:21:24 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-03-24 19:34:48 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-03-25 13:53:04 UTC
ppc done
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-03-28 11:17:09 UTC
CVE-2012-1569 (
  The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12,
  as used in GnuTLS before 3.0.16 and other products, does not properly handle
  certain large length values, which allows remote attackers to cause a denial
  of service (heap memory corruption and application crash) or possibly have
  unspecified other impact via a crafted ASN.1 structure.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-03-28 20:12:22 UTC
ppc64 done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-03-28 23:28:01 UTC
Thanks, folks. GLSA Vote: Yes.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:07:09 UTC
YES too, request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-25 22:03:46 UTC
This issue was resolved and addressed in
 GLSA 201209-12 at
by GLSA coordinator Sean Amoss (ackle).