Debian has issued an advisory today (May 24): https://www.debian.org/security/2017/dsa-3861 The Debian bug has a link to the upstream commit to fix the issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863186 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Fixed on cauldron
CVE: (none) => CVE-2017-6891Whiteboard: MGA5TOO => (none)Version: Cauldron => 5CC: (none) => mageia
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
pushed in updates_testing: src.rpm: libtasn1-4.2-4.2.mga5
Assignee: pkg-bugs => qa-bugs
Advisory: ======================== Updated libtasn1 packages fix security vulnerability: Jakub Jirasek of Secunia Research discovered that libtasn1 did not properly validate its input. This would allow an attacker to cause a crash by denial-of-service, or potentially execute arbitrary code, by tricking a user into processing a maliciously crafted assignments file (CVE-2017-6891). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6891 https://www.debian.org/security/2017/dsa-3861 ======================== Updated packages in core/updates_testing: ======================== libtasn1_6-4.2-4.2.mga5 libtasn1-tools-4.2-4.2.mga5 libtasn1-devel-4.2-4.2.mga5 libtasn1-4.2-4.2.mga5.src.rpm
MGA5-32 on Asus A6000VM Xfce No installation issues. Found bug 5128 Comment 10 as test procedure (tx Claire) and found same results $ asn1Coding pkix.asn assign.asn1 Parse: done. var=dp, value=PKIX1.Dss-Sig-Value var=r, value=42 var=s, value=47 name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f Coding: SUCCESS ----------------- Number of bytes=8 30 06 02 01 2a 02 01 2f ----------------- OutputFile=assign.out checked output file OK Writing: done.$ asn1Parser pkix.asn Done. checked output file OK $ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value Parse: done. Decoding: SUCCESS DECODING RESULT: name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Testing M5 x64 BEFORE the update: lib64tasn1_6-4.2-4.1.mga5 libtasn1-tools-4.2-4.1.mga5 Ran the test procedure as per: https://bugs.mageia.org/show_bug.cgi?id=5128#c10 (thank you Herman, & Claire originally) which starts by you creating 2 example files 'pkix.asn' & 'assign.asn1' as given in: http://www.gnu.org/software/libtasn1/manual/html_node/Invoking-asn1Coding.html All went as indicated. 1. asn1Coding pkix.asn assign.asn1 Parse: done. var=dp, value=PKIX1.Dss-Sig-Value var=r, value=42 var=s, value=47 name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f Coding: SUCCESS ----------------- Number of bytes=8 30 06 02 01 2a 02 01 2f ----------------- OutputFile=assign.out Writing: done. 2. $ asn1Parser pkix.asn Done. Generates pkix_asn1_tab.c $ cat pkix_asn1_tab.c #if HAVE_CONFIG_H # include "config.h" #endif #include <libtasn1.h> const asn1_static_node pkix_asn1_tab[] = { { "PKIX1", 536875024, NULL }, { NULL, 1073741836, NULL }, { "Dss-Sig-Value", 536870917, NULL }, { "r", 1073741827, NULL }, { "s", 3, NULL }, { NULL, 0, NULL } }; 3. $ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value Parse: done. Decoding: SUCCESS DECODING RESULT: name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f --------------------------------- AFTER the update to: lib64tasn1_6-4.2-4.2.mga5 libtasn1-tools-4.2-4.2.mga5 All results were identical to before. Update OK. Validating. Advisory to follow.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0159.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED