Debian summary [1]: | Two errors in the "asn1_find_node()" function (lib/parser_aux.c) | within GnuTLS libtasn1 version 4.10 can be exploited to cause a | stacked-based buffer overflow by tricking a user into processing a | specially crafted assignments file via the e.g. asn1Coding utility. Upstream patch [2] -- [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863186 [2] https://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=5520704d075802df25ce4ffccc010ba1641bd484
Already in tree libtasn1-4.10-r2 we can stabilize.
CVE-2017-6891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6891): Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility.
@ Arches, please test and mark stable: =dev-libs/libtasn1-4.10-r2
amd64 stable
x86 stable
ppc64 stable
Stable on alpha.
arm stable
sparc stable
ia64 stable
ppc stable
Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR
arm64 done
hppa stable
This issue was resolved and addressed in GLSA 201710-11 at https://security.gentoo.org/glsa/201710-11 by GLSA coordinator Aaron Bauman (b-man).