22462 – libtasn1 new security issues CVE-2017-10790 and CVE-2018-6003

Bug 22462 - libtasn1 new security issues CVE-2017-10790 and CVE-2018-6003

Summary: libtasn1 new security issues CVE-2017-10790 and CVE-2018-6003

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	22484
	Show dependency tree / graph

Reported:	2018-01-26 05:22 CET by David Walser
Modified:	2018-02-08 12:32 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	libtasn1-4.12-1.mga6.src.rpm
CVE:
Status comment:

Attachments
assign.asn1 (35 bytes, text/plain) 2018-02-06 14:57 CET, Herman Viaene	Details
pkix.asn (129 bytes, text/plain) 2018-02-06 14:58 CET, Herman Viaene	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-01-26 05:22:43 CET

Ubuntu has issued an advisory today (January 25):
https://usn.ubuntu.com/usn/usn-3547-1/

CVE-2018-6003 does not affect Mageia 5, but does affect Mageia 6.

CVE-2017-10790 also affects Mageia 5 and Mageia 6.

David Walser 2018-01-26 05:22:51 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-01-26 06:31:55 CET

CVE-2018-6003 was fixed in 4.13.  Fedora has issued an advisory for this on January 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SV667U5M7I5UJQFCA7UOSEE4AKKYRA64/

Comment 2 Marja Van Waes 2018-01-26 07:27:08 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2018-01-28 22:29:35 CET

Blocks: (none) => 22484

Comment 3 David Walser 2018-01-28 22:33:31 CET

Updated packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated libtasn1 packages fix security vulnerabilities:

It was discovered that Libtasn1 incorrectly handled certain files. If a user
were tricked into opening a crafted file, an attacker could possibly use this
to cause a denial of service (CVE-2017-10790).

It was discovered that Libtasn1 incorrectly handled certain inputs. An attacker
could possibly use this to cause Libtasn1 to hang, resulting in a denial of
service (CVE-2018-6003).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003
https://usn.ubuntu.com/usn/usn-3547-1/
========================

Updated packages in core/updates_testing:
========================
libtasn1_6-4.13-1.mga6
libtasn1-tools-4.13-1.mga6
libtasn1-devel-4.13-1.mga6

from libtasn1-4.13-1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 Herman Viaene 2018-02-06 14:57:49 CET

Created attachment 9959 [details]
assign.asn1

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2018-02-06 14:58:17 CET

Created attachment 9960 [details]
pkix.asn

Comment 6 Herman Viaene 2018-02-06 15:01:25 CET

MGA6-64 on Lenovo B50 Plasma
No installation issues
Rerun test as per bug 20931 Comment 6: same results: OK
Added test files in attachment, so next time I don't have to follow the whole thread again.

Whiteboard: (none) => MGA6-64-OK

Comment 7 Dave Hodgins 2018-02-08 11:37:03 CET

Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Mageia Robot 2018-02-08 12:32:00 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0121.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.