Bug 13456 - libtasn1 new security issues CVE-2014-346[7-9]
: libtasn1 new security issues CVE-2014-346[7-9]
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/601142/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-05-30 17:08 CEST by David Walser
Modified: 2014-06-03 18:41 CEST (History)
2 users (show)

See Also:
Source RPM: libtasn1-3.4-1.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-05-30 17:08:38 CEST
Security issues fixed upstream in libtasn1 have been made public today (May 30):
http://openwall.com/lists/oss-security/2014/05/30/2

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libtasn1 packages fix security vulnerabilities:

Multiple buffer boundary check issues were discovered in libtasn1 library,
causing it to read beyond the boundary of an allocated buffer.  An untrusted
ASN.1 input could cause an application using the library to crash
(CVE-2014-3467).

It was discovered that libtasn1 library function asn1_get_bit_der() could
incorrectly report negative bit length of the value read from ASN.1 input.
This could possibly lead to an out of bounds access in an application using
libtasn1, for example in case if application tried to terminate read value
with NUL byte (CVE-2014-3468).

A NULL pointer dereference flaw was found in libtasn1's
asn1_read_value_type() / asn1_read_value() function. If an application
called the function with a NULL value for an ivalue argument to determine
the amount of memory needed to store data to be read from the ASN.1 input,
libtasn1 could incorrectly attempt to dereference the NULL pointer, causing
an application using the library to crash (CVE-2014-3469).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3467
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3468
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3469
http://lists.gnu.org/archive/html/help-libtasn1/2014-05/msg00006.html
========================

Updated packages in core/updates_testing:
========================
libtasn1_6-3.6-1.mga3
libtasn1-tools-3.6-1.mga3
libtasn1-devel-3.6-1.mga3
libtasn1_6-3.6-1.mga4
libtasn1-tools-3.6-1.mga4
libtasn1-devel-3.6-1.mga4

from SRPMS:
libtasn1-3.6-1.mga3.src.rpm
libtasn1-3.6-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-06-02 14:54:38 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=5128#c10


Testing complete mga4 64

The two test files are below..

$ cat pkix.asn 
PKIX1 { }

DEFINITIONS IMPLICIT TAGS ::=

BEGIN

Dss-Sig-Value ::= SEQUENCE {
     r       INTEGER,
     s       INTEGER
}

END

$ cat assign.asn1 
dp PKIX1.Dss-Sig-Value

r 42
s 47

Testing with commands from libtasn1-tools..

$ asn1Coding pkix.asn assign.asn1
Parse: done.

var=dp, value=PKIX1.Dss-Sig-Value
var=r, value=42
var=s, value=47

name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f

Coding: SUCCESS

-----------------
Number of bytes=8
30 06 02 01 2a 02 01 2f 
-----------------

OutputFile=assign.out

Writing: done.

$ asn1Parser pkix.asn
Done.

$ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value
Parse: done.

Decoding: SUCCESS

DECODING RESULT:
name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f
Comment 2 David Walser 2014-06-02 14:57:16 CEST
Tested using Claire's testing procedure from:
https://bugs.mageia.org/show_bug.cgi?id=5128#c10

With Mageia 4 i586 I got the same results she got in the previous test.
Comment 3 David Walser 2014-06-02 15:00:34 CEST
Also got the same results testing Mageia 3 i586.
Comment 4 claire robinson 2014-06-02 15:02:16 CEST
Testing complete mga3 32 too
Comment 5 claire robinson 2014-06-02 15:08:12 CEST
Testing complete mga3 64
Comment 6 claire robinson 2014-06-02 15:12:44 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 7 Thomas Backlund 2014-06-02 20:49:48 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0247.html

Note You need to log in before you can comment on or make changes to this bug.