Bug 13456

Summary: libtasn1 new security issues CVE-2014-346[7-9]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/601142/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: libtasn1-3.4-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-05-30 17:08:38 CEST 
Security issues fixed upstream in libtasn1 have been made public today (May 30):
http://openwall.com/lists/oss-security/2014/05/30/2

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libtasn1 packages fix security vulnerabilities:

Multiple buffer boundary check issues were discovered in libtasn1 library,
causing it to read beyond the boundary of an allocated buffer.  An untrusted
ASN.1 input could cause an application using the library to crash
(CVE-2014-3467).

It was discovered that libtasn1 library function asn1_get_bit_der() could
incorrectly report negative bit length of the value read from ASN.1 input.
This could possibly lead to an out of bounds access in an application using
libtasn1, for example in case if application tried to terminate read value
with NUL byte (CVE-2014-3468).

A NULL pointer dereference flaw was found in libtasn1's
asn1_read_value_type() / asn1_read_value() function. If an application
called the function with a NULL value for an ivalue argument to determine
the amount of memory needed to store data to be read from the ASN.1 input,
libtasn1 could incorrectly attempt to dereference the NULL pointer, causing
an application using the library to crash (CVE-2014-3469).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3467
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3468
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3469
http://lists.gnu.org/archive/html/help-libtasn1/2014-05/msg00006.html
========================

Updated packages in core/updates_testing:
========================
libtasn1_6-3.6-1.mga3
libtasn1-tools-3.6-1.mga3
libtasn1-devel-3.6-1.mga3
libtasn1_6-3.6-1.mga4
libtasn1-tools-3.6-1.mga4
libtasn1-devel-3.6-1.mga4

from SRPMS:
libtasn1-3.6-1.mga3.src.rpm
libtasn1-3.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-30 17:08:43 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-06-02 14:54:38 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=5128#c10


Testing complete mga4 64

The two test files are below..

$ cat pkix.asn 
PKIX1 { }

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

Dss-Sig-Value ::= SEQUENCE {
     r       INTEGER,
     s       INTEGER
}

END

$ cat assign.asn1 
dp PKIX1.Dss-Sig-Value

r 42
s 47

Testing with commands from libtasn1-tools..

$ asn1Coding pkix.asn assign.asn1
Parse: done.

var=dp, value=PKIX1.Dss-Sig-Value
var=r, value=42
var=s, value=47

name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f

Coding: SUCCESS

-----------------
Number of bytes=8
30 06 02 01 2a 02 01 2f 
-----------------

OutputFile=assign.out

Writing: done.

$ asn1Parser pkix.asn
Done.

$ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value
Parse: done.

Decoding: SUCCESS

DECODING RESULT:
name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 2 David Walser 2014-06-02 14:57:16 CEST 
Tested using Claire's testing procedure from:
https://bugs.mageia.org/show_bug.cgi?id=5128#c10

With Mageia 4 i586 I got the same results she got in the previous test.
Comment 3 David Walser 2014-06-02 15:00:34 CEST 
Also got the same results testing Mageia 3 i586.
Comment 4 claire robinson 2014-06-02 15:02:16 CEST 
Testing complete mga3 32 too

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-06-02 15:08:12 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-06-02 15:12:44 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

claire robinson 2014-06-02 15:13:09 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-06-02 20:49:48 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0247.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-06-03 18:41:45 CEST

URL: (none) => http://lwn.net/Vulnerabilities/601142/