Bug 18204 - libtasn1 new security issue CVE-2016-4008
Summary: libtasn1 new security issue CVE-2016-4008
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/683994/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-04-14 17:58 CEST by David Walser
Modified: 2016-05-11 21:28 CEST (History)
4 users (show)

See Also:
Source RPM: libtasn1-4.2-4.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-04-14 17:58:00 CEST 
A CVE has been assigned for a security issue fixed in libtasn1 4.8:
http://openwall.com/lists/oss-security/2016/04/13/3

Cauldron has been updated.  I don't have a link to a patch/commit, but we could just update Mageia 5, as we have updated this package in the past.
Comment 1 Marja Van Waes 2016-04-15 13:02:31 CEST 
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2016-04-15 20:37:14 CEST

URL: (none) => http://lwn.net/Vulnerabilities/683994/

Comment 2 David Walser 2016-05-04 19:46:46 CEST 
Ubuntu has identified the upstream patches:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4008.html

and issued an advisory for this on May 2:
http://www.ubuntu.com/usn/usn-2957-1/
Comment 3 David GEIGER 2016-05-04 22:31:12 CEST 
Done! adding the upstream patch mentioned in comment 2

CC: (none) => geiger.david68210

Comment 4 David Walser 2016-05-05 00:46:56 CEST 
General Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=5128#c10

Advisory:
========================

Updated libtasn1 packages fix security vulnerability:

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled
certain malformed DER certificates. A remote attacker could possibly use
this issue to cause applications using Libtasn1 to hang, resulting in a
denial of service (CVE-2016-4008).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4008
http://www.ubuntu.com/usn/usn-2957-1/
========================

Updated packages in core/updates_testing:
========================
libtasn1_6-4.2-4.1.mga5
libtasn1-tools-4.2-4.1.mga5
libtasn1-devel-4.2-4.1.mga5

from libtasn1-4.2-4.1.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: (none) => has_procedure

Comment 5 David Walser 2016-05-09 13:50:47 CEST 
Tested fine using Claire's test procedure, Mageia 5 i586 and x86_64.

Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK

Comment 6 Lewis Smith 2016-05-11 13:15:23 CEST 
Validated.
Advisory ex Comment 4 uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 7 Mageia Robot 2016-05-11 21:28:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0170.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.