Bug 22462

Summary: libtasn1 new security issues CVE-2017-10790 and CVE-2018-6003
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, herman.viaene, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libtasn1-4.12-1.mga6.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 22484    
Attachments: assign.asn1
pkix.asn

Description David Walser 2018-01-26 05:22:43 CET 
Ubuntu has issued an advisory today (January 25):
https://usn.ubuntu.com/usn/usn-3547-1/

CVE-2018-6003 does not affect Mageia 5, but does affect Mageia 6.

CVE-2017-10790 also affects Mageia 5 and Mageia 6.
David Walser 2018-01-26 05:22:51 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-01-26 06:31:55 CET 
CVE-2018-6003 was fixed in 4.13.  Fedora has issued an advisory for this on January 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SV667U5M7I5UJQFCA7UOSEE4AKKYRA64/
Comment 2 Marja Van Waes 2018-01-26 07:27:08 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2018-01-28 22:29:35 CET

Blocks: (none) => 22484

Comment 3 David Walser 2018-01-28 22:33:31 CET 
Updated packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated libtasn1 packages fix security vulnerabilities:

It was discovered that Libtasn1 incorrectly handled certain files. If a user
were tricked into opening a crafted file, an attacker could possibly use this
to cause a denial of service (CVE-2017-10790).

It was discovered that Libtasn1 incorrectly handled certain inputs. An attacker
could possibly use this to cause Libtasn1 to hang, resulting in a denial of
service (CVE-2018-6003).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003
https://usn.ubuntu.com/usn/usn-3547-1/
========================

Updated packages in core/updates_testing:
========================
libtasn1_6-4.13-1.mga6
libtasn1-tools-4.13-1.mga6
libtasn1-devel-4.13-1.mga6

from libtasn1-4.13-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 Herman Viaene 2018-02-06 14:57:49 CET 
Created attachment 9959 [details]
assign.asn1

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2018-02-06 14:58:17 CET 
Created attachment 9960 [details]
pkix.asn
Comment 6 Herman Viaene 2018-02-06 15:01:25 CET 
MGA6-64 on Lenovo B50 Plasma
No installation issues
Rerun test as per bug 20931 Comment 6: same results: OK
Added test files in attachment, so next time I don't have to follow the whole thread again.

Whiteboard: (none) => MGA6-64-OK

Comment 7 Dave Hodgins 2018-02-08 11:37:03 CET 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2018-02-08 12:32:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0121.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED