627014 – (CVE-2017-10790) <dev-libs/libtasn1-4.12-r1: Denial of Service Vulnerability (NULL pointer dereference)

Bug 627014 (CVE-2017-10790) - <dev-libs/libtasn1-4.12-r1: Denial of Service Vulnerability (NULL pointer dereference)

Summary: <dev-libs/libtasn1-4.12-r1: Denial of Service Vulnerability (NULL pointer der...

Status:	RESOLVED FIXED

Alias:	CVE-2017-10790

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://patches.openembedded.org/patc...
Whiteboard:	A3 [glsa cve]
Keywords:	STABLEREQ

Duplicates (1):	647010 (view as bug list)
Depends on:
Blocks:

Reported:	2017-08-04 00:36 UTC by Andrey Ovcharov
Modified:	2018-07-27 22:51 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	dev-libs/libtasn1-4.12-r1 alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
CVE-2017-10790.patch (CVE-2017-10790.patch,2.21 KB, patch) 2017-08-04 00:36 UTC, Andrey Ovcharov	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrey Ovcharov 2017-08-04 00:36:24 UTC

Created attachment 487886 [details, diff]
CVE-2017-10790.patch

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790

"The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack."

Comment 1 D'juan McDonald (domhnall) 2017-09-03 21:24:21 UTC

Upstream Backport:

http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=d8d805e1f2e6799bb2dff4871a8598dc83088a39

@maintainer(s), after bump, please call for stable if needed. Thank you

Daj'Uan (jmbailey/mbailey_j)
Gentoo Security Padawan

Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev

2017-09-03 22:20:47 UTC

Hi,
Done.
Can be stabilized.
Thanks!

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2017-09-04 12:50:45 UTC

amd64/x86 stable

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev

2017-09-04 13:36:46 UTC

Stable on alpha.

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-04 20:36:34 UTC

ia64 stable

Comment 6 Markus Meier gentoo-dev

2017-09-06 19:47:28 UTC

arm stable

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2017-09-10 22:21:26 UTC

sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-24 20:13:37 UTC

ppc64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-26 23:04:45 UTC

ppc stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-30 10:46:35 UTC

hppa stable

Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-06 09:59:36 UTC

sparc stable (thanks to Rolf Eike Beer)

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2017-10-08 19:03:04 UTC

arm64 is not stable arch, but leaving in place if they want to stabilize before GLSA is released.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2017-10-13 22:48:14 UTC

This issue was resolved and addressed in
 GLSA 201710-11 at https://security.gentoo.org/glsa/201710-11
by GLSA coordinator Aaron Bauman (b-man).

Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev

2018-03-14 22:52:23 UTC

*** Bug 647010 has been marked as a duplicate of this bug. ***