Security issues fixed upstream in libtasn1 have been made public today (May 30): http://openwall.com/lists/oss-security/2014/05/30/2 Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated libtasn1 packages fix security vulnerabilities: Multiple buffer boundary check issues were discovered in libtasn1 library, causing it to read beyond the boundary of an allocated buffer. An untrusted ASN.1 input could cause an application using the library to crash (CVE-2014-3467). It was discovered that libtasn1 library function asn1_get_bit_der() could incorrectly report negative bit length of the value read from ASN.1 input. This could possibly lead to an out of bounds access in an application using libtasn1, for example in case if application tried to terminate read value with NUL byte (CVE-2014-3468). A NULL pointer dereference flaw was found in libtasn1's asn1_read_value_type() / asn1_read_value() function. If an application called the function with a NULL value for an ivalue argument to determine the amount of memory needed to store data to be read from the ASN.1 input, libtasn1 could incorrectly attempt to dereference the NULL pointer, causing an application using the library to crash (CVE-2014-3469). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3467 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3468 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3469 http://lists.gnu.org/archive/html/help-libtasn1/2014-05/msg00006.html ======================== Updated packages in core/updates_testing: ======================== libtasn1_6-3.6-1.mga3 libtasn1-tools-3.6-1.mga3 libtasn1-devel-3.6-1.mga3 libtasn1_6-3.6-1.mga4 libtasn1-tools-3.6-1.mga4 libtasn1-devel-3.6-1.mga4 from SRPMS: libtasn1-3.6-1.mga3.src.rpm libtasn1-3.6-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=5128#c10 Testing complete mga4 64 The two test files are below.. $ cat pkix.asn PKIX1 { } DEFINITIONS IMPLICIT TAGS ::= BEGIN Dss-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } END $ cat assign.asn1 dp PKIX1.Dss-Sig-Value r 42 s 47 Testing with commands from libtasn1-tools.. $ asn1Coding pkix.asn assign.asn1 Parse: done. var=dp, value=PKIX1.Dss-Sig-Value var=r, value=42 var=s, value=47 name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f Coding: SUCCESS ----------------- Number of bytes=8 30 06 02 01 2a 02 01 2f ----------------- OutputFile=assign.out Writing: done. $ asn1Parser pkix.asn Done. $ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value Parse: done. Decoding: SUCCESS DECODING RESULT: name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Tested using Claire's testing procedure from: https://bugs.mageia.org/show_bug.cgi?id=5128#c10 With Mageia 4 i586 I got the same results she got in the previous test.
Also got the same results testing Mageia 3 i586.
Testing complete mga3 32 too
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0247.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/601142/