Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 716680 (CVE-2013-7488) - <dev-perl/Convert-ASN1-0.270.0-r1: Unsafe decoding can cause denial of service (CVE-2013-7488)
Summary: <dev-perl/Convert-ASN1-0.270.0-r1: Unsafe decoding can cause denial of servic...
Status: RESOLVED FIXED
Alias: CVE-2013-7488
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/gbarr/perl-Convert...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 10:32 UTC by Sam James
Modified: 2020-07-17 21:24 UTC (History)
2 users (show)

See Also:
Package list:
=dev-perl/Convert-ASN1-0.270.0-r1 amd64 sparc x86
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-08 10:32:19 UTC 
Description:
"perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input."

URL (bug): https://github.com/gbarr/perl-Convert-ASN1/issues/14
URL (RH): https://bugzilla.redhat.com/show_bug.cgi?id=1821879

A possible fix is mentioned in the first bug link.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-02 22:24:29 UTC 
Possible patch: https://github.com/gbarr/perl-Convert-ASN1/pull/15

@maintainer(s), please review if suitable for inclusion and let us know.
Comment 2 Larry the Git Cow gentoo-dev 2020-06-28 16:37:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dc32f9b7cf12ea92bbdca93405b602d06925dd2

commit 9dc32f9b7cf12ea92bbdca93405b602d06925dd2
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-06-28 16:30:58 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-06-28 16:37:13 +0000

    dev-perl/Convert-ASN1: -r bump for CVE-2013-7488 bug #716680
    
    - EAPI7
    - Remove empty/unused variable assignments
    - Add patch submitted to upstream repo to remedy CVE-2013-7488
    
    Bug: https://bugs.gentoo.org/716680
    Bug: https://github.com/gbarr/perl-Convert-ASN1/pull/15
    Bug: https://github.com/gbarr/perl-Convert-ASN1/issues/14
    Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1821879
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 .../Convert-ASN1/Convert-ASN1-0.270.0-r1.ebuild    | 27 +++++++++++++
 .../files/Convert-ASN1-0.270.0-CVE-2013-7488.patch | 45 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 00:11:32 UTC 
Thanks! Let us know when ready to stable.
Comment 4 Rolf Eike Beer archtester 2020-07-06 16:51:52 UTC 
hppa stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-07-08 07:22:12 UTC 
ppc/ppc64 stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-08 19:55:48 UTC 
arm stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-08 20:55:52 UTC 
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-07-09 08:34:57 UTC 
s390 stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-11 15:22:14 UTC 
sparc stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 00:06:10 UTC 
amd64, x86: ping
Comment 11 Agostino Sarubbo gentoo-dev 2020-07-17 07:23:07 UTC 
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-07-17 07:46:33 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Larry the Git Cow gentoo-dev 2020-07-17 08:25:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22e06ed632bf6b368fb0f47265666d4a80483ee3

commit 22e06ed632bf6b368fb0f47265666d4a80483ee3
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-07-17 08:25:07 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-07-17 08:25:07 +0000

    dev-perl/Convert-ASN1: Cleanup old 0.270.0 re bug #716680
    
    Bug: https://bugs.gentoo.org/716680
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 dev-perl/Convert-ASN1/Convert-ASN1-0.270.0.ebuild | 29 -----------------------
 1 file changed, 29 deletions(-)
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 21:24:15 UTC 
GLSA vote: no!

Tree clean, thanks. Closing.