Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 579748 (CVE-2016-4008) - <dev-libs/libtasn1-4.8: infinite loop while parsing DER certificates
Summary: <dev-libs/libtasn1-4.8: infinite loop while parsing DER certificates
Status: RESOLVED FIXED
Alias: CVE-2016-4008
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-12 14:45 UTC by Agostino Sarubbo
Modified: 2017-03-28 03:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-12 14:45:11 UTC
From ${URL} :

The libtasn1 library, in its 4.7 version, can loop for a long time or indefinitely when it is used 
to parse DER representations of X509 certificates, leading to a denial of service. Some of these 
loops may in addition increase heap or stack usage, leading to more issues.

References (with reproducer):

http://seclists.org/oss-sec/2016/q2/51


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2016-04-12 15:18:08 UTC
I believe we can stabilize.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-12 17:08:30 UTC
Stabilise what?
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2016-04-12 17:11:54 UTC
(In reply to Jeroen Roovers from comment #2)
> Stabilise what?

Sorry :)
dev-libs/libtasn1-4.8
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-16 12:16:54 UTC
Stable for HPPA PPC64.
Comment 5 Markus Meier gentoo-dev 2016-04-19 15:51:10 UTC
arm stable
Comment 6 Matt Turner gentoo-dev 2016-05-02 03:34:00 UTC
alpha stable
Comment 7 Alon Bar-Lev (RETIRED) gentoo-dev 2016-06-12 12:32:55 UTC
stable ping
Comment 8 Agostino Sarubbo gentoo-dev 2016-06-27 08:49:44 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 07:56:30 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 10:05:02 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 12:04:33 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-11-20 06:13:29 UTC
@amd64 got skipped somehow.  Please stabilize:

=dev-libs/libtasn1-4.8
Comment 13 Agostino Sarubbo gentoo-dev 2016-11-20 13:05:48 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-02-22 10:59:27 UTC
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-03-28 03:07:12 UTC
This issue was resolved and addressed in
 GLSA 201703-05 at https://security.gentoo.org/glsa/201703-05
by GLSA coordinator Yury German (BlueKnight).