Bug 13456 - libtasn1 new security issues CVE-2014-346[7-9]
Summary: libtasn1 new security issues CVE-2014-346[7-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/601142/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-30 17:08 CEST by David Walser
Modified: 2014-06-03 18:41 CEST (History)
2 users (show)

See Also:
Source RPM: libtasn1-3.4-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-30 17:08:38 CEST
Security issues fixed upstream in libtasn1 have been made public today (May 30):
http://openwall.com/lists/oss-security/2014/05/30/2

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libtasn1 packages fix security vulnerabilities:

Multiple buffer boundary check issues were discovered in libtasn1 library,
causing it to read beyond the boundary of an allocated buffer.  An untrusted
ASN.1 input could cause an application using the library to crash
(CVE-2014-3467).

It was discovered that libtasn1 library function asn1_get_bit_der() could
incorrectly report negative bit length of the value read from ASN.1 input.
This could possibly lead to an out of bounds access in an application using
libtasn1, for example in case if application tried to terminate read value
with NUL byte (CVE-2014-3468).

A NULL pointer dereference flaw was found in libtasn1's
asn1_read_value_type() / asn1_read_value() function. If an application
called the function with a NULL value for an ivalue argument to determine
the amount of memory needed to store data to be read from the ASN.1 input,
libtasn1 could incorrectly attempt to dereference the NULL pointer, causing
an application using the library to crash (CVE-2014-3469).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3467
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3468
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3469
http://lists.gnu.org/archive/html/help-libtasn1/2014-05/msg00006.html
========================

Updated packages in core/updates_testing:
========================
libtasn1_6-3.6-1.mga3
libtasn1-tools-3.6-1.mga3
libtasn1-devel-3.6-1.mga3
libtasn1_6-3.6-1.mga4
libtasn1-tools-3.6-1.mga4
libtasn1-devel-3.6-1.mga4

from SRPMS:
libtasn1-3.6-1.mga3.src.rpm
libtasn1-3.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-30 17:08:43 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-06-02 14:54:38 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=5128#c10


Testing complete mga4 64

The two test files are below..

$ cat pkix.asn 
PKIX1 { }

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

Dss-Sig-Value ::= SEQUENCE {
     r       INTEGER,
     s       INTEGER
}

END

$ cat assign.asn1 
dp PKIX1.Dss-Sig-Value

r 42
s 47

Testing with commands from libtasn1-tools..

$ asn1Coding pkix.asn assign.asn1
Parse: done.

var=dp, value=PKIX1.Dss-Sig-Value
var=r, value=42
var=s, value=47

name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f

Coding: SUCCESS

-----------------
Number of bytes=8
30 06 02 01 2a 02 01 2f 
-----------------

OutputFile=assign.out

Writing: done.

$ asn1Parser pkix.asn
Done.

$ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value
Parse: done.

Decoding: SUCCESS

DECODING RESULT:
name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 2 David Walser 2014-06-02 14:57:16 CEST
Tested using Claire's testing procedure from:
https://bugs.mageia.org/show_bug.cgi?id=5128#c10

With Mageia 4 i586 I got the same results she got in the previous test.
Comment 3 David Walser 2014-06-02 15:00:34 CEST
Also got the same results testing Mageia 3 i586.
Comment 4 claire robinson 2014-06-02 15:02:16 CEST
Testing complete mga3 32 too

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-06-02 15:08:12 CEST
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-06-02 15:12:44 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

claire robinson 2014-06-02 15:13:09 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-06-02 20:49:48 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0247.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-06-03 18:41:45 CEST

URL: (none) => http://lwn.net/Vulnerabilities/601142/


Note You need to log in before you can comment on or make changes to this bug.