Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 716680 (CVE-2013-7488) - <dev-perl/Convert-ASN1-0.270.0-r1: Unsafe decoding can cause denial of service (CVE-2013-7488)
Summary: <dev-perl/Convert-ASN1-0.270.0-r1: Unsafe decoding can cause denial of servic...
Status: RESOLVED FIXED
Alias: CVE-2013-7488
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/gbarr/perl-Convert...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 10:32 UTC by Sam James
Modified: 2020-07-17 21:24 UTC (History)
2 users (show)

See Also:
Package list:
=dev-perl/Convert-ASN1-0.270.0-r1 amd64 sparc x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-04-08 10:32:19 UTC
Description:
"perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input."

URL (bug): https://github.com/gbarr/perl-Convert-ASN1/issues/14
URL (RH): https://bugzilla.redhat.com/show_bug.cgi?id=1821879

A possible fix is mentioned in the first bug link.
Comment 1 Sam James gentoo-dev Security 2020-05-02 22:24:29 UTC
Possible patch: https://github.com/gbarr/perl-Convert-ASN1/pull/15

@maintainer(s), please review if suitable for inclusion and let us know.
Comment 2 Larry the Git Cow gentoo-dev 2020-06-28 16:37:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dc32f9b7cf12ea92bbdca93405b602d06925dd2

commit 9dc32f9b7cf12ea92bbdca93405b602d06925dd2
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-06-28 16:30:58 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-06-28 16:37:13 +0000

    dev-perl/Convert-ASN1: -r bump for CVE-2013-7488 bug #716680
    
    - EAPI7
    - Remove empty/unused variable assignments
    - Add patch submitted to upstream repo to remedy CVE-2013-7488
    
    Bug: https://bugs.gentoo.org/716680
    Bug: https://github.com/gbarr/perl-Convert-ASN1/pull/15
    Bug: https://github.com/gbarr/perl-Convert-ASN1/issues/14
    Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1821879
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 .../Convert-ASN1/Convert-ASN1-0.270.0-r1.ebuild    | 27 +++++++++++++
 .../files/Convert-ASN1-0.270.0-CVE-2013-7488.patch | 45 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 3 Sam James gentoo-dev Security 2020-06-29 00:11:32 UTC
Thanks! Let us know when ready to stable.
Comment 4 Rolf Eike Beer 2020-07-06 16:51:52 UTC
hppa stable
Comment 5 Sergei Trofimovich gentoo-dev 2020-07-08 07:22:12 UTC
ppc/ppc64 stable
Comment 6 Sam James gentoo-dev Security 2020-07-08 19:55:48 UTC
arm stable
Comment 7 Sam James gentoo-dev Security 2020-07-08 20:55:52 UTC
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-07-09 08:34:57 UTC
s390 stable
Comment 9 Sam James gentoo-dev Security 2020-07-11 15:22:14 UTC
sparc stable
Comment 10 Sam James gentoo-dev Security 2020-07-17 00:06:10 UTC
amd64, x86: ping
Comment 11 Agostino Sarubbo gentoo-dev 2020-07-17 07:23:07 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-07-17 07:46:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Larry the Git Cow gentoo-dev 2020-07-17 08:25:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22e06ed632bf6b368fb0f47265666d4a80483ee3

commit 22e06ed632bf6b368fb0f47265666d4a80483ee3
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-07-17 08:25:07 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-07-17 08:25:07 +0000

    dev-perl/Convert-ASN1: Cleanup old 0.270.0 re bug #716680
    
    Bug: https://bugs.gentoo.org/716680
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 dev-perl/Convert-ASN1/Convert-ASN1-0.270.0.ebuild | 29 -----------------------
 1 file changed, 29 deletions(-)
Comment 14 Sam James gentoo-dev Security 2020-07-17 21:24:15 UTC
GLSA vote: no!

Tree clean, thanks. Closing.