| Summary: | libtasn1 new security issue CVE-2018-1000654 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libtasn1-4.13-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-11-25 22:15:27 CET
Advisory: ======================== Updated libtasn1 packages fix security vulnerability: Denial of service in asn1Parser (CVE-2018-1000654). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000654 https://lists.opensuse.org/opensuse-updates/2019-06/msg00016.html ======================== Updated packages in core/updates_testing: ======================== libtasn1_6-4.14-1.mga7 libtasn1-tools-4.14-1.mga7 libtasn1-devel-4.14-1.mga7 from libtasn1-4.14-1.mga7.src.rpm Assignee:
bugsquad =>
qa-bugs Started this after inadvertently enabling testing updates - still in the throes of setting up the system after an mgaonline upgrade from 6 to 7. The POC gave a good result. Back in a wee while. CC:
(none) =>
tarazed25 Mageia7, x86_64 Installed missing tasn1 components: lib64tasn1_6-4.13-2.mga7 lib64tasn1-devel-4.13-2.mga7 libtasn1-tools-4.13-2.mga7 CVE-2018-1000654 https://bugzilla.suse.com/show_bug.cgi?id=1105435&_ga=2.19302076.528095209.1575227174-225896987.1575227174 $ asn1Parser -c Bug1-POC $ asn1Parser -c Bug1-POC Bug1-POC:23: Warning: UniversalString is a built-in ASN.1 type. Bug1-POC:56: Warning: VisibleString is a built-in ASN.1 type. Bug1-POC:58: Warning: NumericString is a built-in ASN.1 type. ........ This went into the expected endless loop. One core hit 100% and it was difficult to interact with the desktop. Killed the process eventually. $ urpmq --whatrequires-recursive lib64tasn1_6 | sort -u > tasn $ lines tasn 10689 Looks like this is quite important. Ran MageiaUpdate to update the test packages. $ rpm -qa | grep tasn1 lib64tasn1_6-4.14-1.mga7 lib64tasn1-devel-4.14-1.mga7 libtasn1-tools-4.14-1.mga7 $ asn1Parser -c Bug1-POC Bug1-POC:23: Warning: UniversalString is a built-in ASN.1 type. Bug1-POC:56: Warning: VisibleString is a built-in ASN.1 type. Bug1-POC:58: Warning: NumericString is a built-in ASN.1 type. [...] Bug1-POC:171: Warning: PrintableString is a built-in ASN.1 type. libtasn1 ERROR: RECURSION No endless loop - good result. Actually testing this is problematic, not knowing under what circumstances these 10000 or so packages use libtasn1. Ran several under trace. alsaplayer yielded nothing. $ strace -o ping.trace ansible -k -i ~/tmp/hosts all -m ping $ grep tasn1 ping.trace nothing $ sudo strace -o apache systemctl status httpd $ grep tasn1 apache nothing $ strace -o blender.trace blender openat(AT_FDCWD, "/lib64/libtasn1.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libtasn1.so.6.5.6", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib64/libtasn1.so.6.5.6", O_RDONLY) = 4 blender seemed to be working fine. $ strace -o caja.trace caja $ grep tasn1 caja.trace nothing Well at least blender accesses it. Giving this an OK on that basis and the result of the POC test.
Len Lawrence
2019-12-01 22:01:53 CET
Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 2. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-12-06 14:08:39 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0359.html Status:
NEW =>
RESOLVED |