Bug 27710

Summary: perl-Convert-ASN1 new security issue CVE-2013-7488
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: perl-Convert-ASN1-0.270.0-8.mga8.src.rpm CVE: CVE-2013-7488
Status comment:

Description David Walser 2020-12-02 17:31:39 CET 
Fedora has issued an advisory today (December 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ONNQSW4SSKMG5RUEFZJZA5T5R2WXEGQF/

Mageia 7 is also affected.
David Walser 2020-12-02 17:31:49 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2020-12-02 18:09:45 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => shlomif

Comment 2 Nicolas Lécureuil 2020-12-27 12:35:31 CET 
fixed in cauldron.

CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2020-12-27 13:08:17 CET 
pushed in mga7

src:
    perl-Convert-ASN1-0.270.0-6.1.mga7

Assignee: shlomif => qa-bugs

Comment 4 David Walser 2020-12-27 17:12:47 CET 
Advisory:
========================

Updated perl-Convert-ASN1 package fixes security vulnerability:

perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows
remote attackers to cause an infinite loop via unexpected input
(CVE-2013-7488).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7488
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ONNQSW4SSKMG5RUEFZJZA5T5R2WXEGQF/
========================

Updated packages in core/updates_testing:
========================
perl-Convert-ASN1-0.270.0-6.1.mga7

from perl-Convert-ASN1-0.270.0-6.1.mga7.src.rpm
Comment 5 Len Lawrence 2020-12-30 18:26:42 CET 
mga7, x64

Installed the module.

CVE-2013-7488
https://github.com/gbarr/perl-Convert-ASN1/issues/14
$ cat 27710.pl
#!/usr/bin/perl
use Convert::ASN1;
my $asn = Convert::ASN1->new;
$asn->prepare(q<
  [APPLICATION 7] SEQUENCE {
    int INTEGER
  }
>);
my $out;
$out = $asn->decode( pack("H*", "dfccd3fde3") );
$out = $asn->decode( pack("H*", "b0805f92cb") );

Running this script causes an endless stream of messages.
$ perl 27710.pl
.....
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert^C

Updated the package.
Ran the PoC again.
This still caused an endless loop so the problem has not been fixed.
$ rpm -q perl-Convert-ASN1
perl-Convert-ASN1-0.270.0-6.1.mga7

CC: (none) => tarazed25

Comment 6 Len Lawrence 2020-12-30 19:01:17 CET 
With reference to comment 5.
Used madb to find the x86_64 unified diffs on the source package but don't know how to read it apart from seeing that a patch was applied.
Len Lawrence 2020-12-30 19:02:33 CET

Keywords: (none) => feedback

Comment 7 Aurelien Oudelet 2021-02-04 17:39:12 CET 
Status?

Package patched according to Comment 3 but, PoC from Comment 5 does the same issue...

Reassigning back, added current SRPM in field.

Assignee: qa-bugs => mageia
Source RPM: perl-Convert-ASN1-0.270.0-7.mga8.src.rpm => perl-Convert-ASN1-0.270.0-6.mga7.src.rpm
CVE: (none) => CVE-2013-7488

Comment 8 Aurelien Oudelet 2021-02-19 16:51:09 CET 
Status?

Assignee: mageia => qa-bugs

Aurelien Oudelet 2021-03-01 17:11:02 CET

Status: NEW => NEEDINFO

Aurelien Oudelet 2021-03-07 17:23:09 CET

Status: NEEDINFO => NEW

Comment 9 David Walser 2021-06-21 22:14:18 CEST 
Can someone test this in Cauldron to see if the bug is fixed or still valid there?

Keywords: feedback => (none)

Comment 10 David Walser 2021-07-08 22:48:02 CEST 
Confirmed this is still broken in Mageia 8, but fixed in Cauldron.  Will have to cancel the Mageia 7 update, but will still need to fix Mageia 8.

Version: 7 => 8
Assignee: qa-bugs => mageia
Source RPM: perl-Convert-ASN1-0.270.0-6.mga7.src.rpm => perl-Convert-ASN1-0.270.0-8.mga8.src.rpm

Comment 11 Nicolas Lécureuil 2021-07-20 15:13:36 CEST 
strange. I just took a look, and we have the same patches debian used.
Comment 12 David Walser 2021-07-20 15:30:21 CEST 
Yeah it looks like patching doesn't work and we just have to upgrade it.
Comment 13 Nicolas Lécureuil 2021-07-20 18:10:46 CEST 
ok i update it.


src:
    - perl-Convert-ASN1-0.310.0-1.mga8

Assignee: mageia => qa-bugs

Comment 14 David Walser 2021-07-20 18:39:31 CEST 
Before:
$ perl 27710.pl
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692
[...] (repeated infinitely)

After:
$ perl 27710.pl
$

Looks good on Mageia 8 x86_64 (and it's a noarch package).

Whiteboard: (none) => MGA8-64-OK

Comment 15 Aurelien Oudelet 2021-07-20 22:03:36 CEST 
Installs OK over existing version.

MGA8-64-OK

Validating.
Advisory in comment 4 and SRPM in comment 13.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-20 23:18:14 CEST

Keywords: (none) => advisory

Comment 16 Mageia Robot 2021-07-21 14:19:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0363.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED