openSUSE has issued an advisory on June 3: https://lists.opensuse.org/opensuse-updates/2019-06/msg00016.html The issue is fixed upstream in 4.14. It sounds like it only affects the asn1Parser tool, not the library itself, so not a big deal.
Done!
CC: (none) => geiger.david68210
Advisory: ======================== Updated libtasn1 packages fix security vulnerability: Denial of service in asn1Parser (CVE-2018-1000654). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000654 https://lists.opensuse.org/opensuse-updates/2019-06/msg00016.html ======================== Updated packages in core/updates_testing: ======================== libtasn1_6-4.14-1.mga7 libtasn1-tools-4.14-1.mga7 libtasn1-devel-4.14-1.mga7 from libtasn1-4.14-1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
Started this after inadvertently enabling testing updates - still in the throes of setting up the system after an mgaonline upgrade from 6 to 7. The POC gave a good result. Back in a wee while.
CC: (none) => tarazed25
Mageia7, x86_64 Installed missing tasn1 components: lib64tasn1_6-4.13-2.mga7 lib64tasn1-devel-4.13-2.mga7 libtasn1-tools-4.13-2.mga7 CVE-2018-1000654 https://bugzilla.suse.com/show_bug.cgi?id=1105435&_ga=2.19302076.528095209.1575227174-225896987.1575227174 $ asn1Parser -c Bug1-POC $ asn1Parser -c Bug1-POC Bug1-POC:23: Warning: UniversalString is a built-in ASN.1 type. Bug1-POC:56: Warning: VisibleString is a built-in ASN.1 type. Bug1-POC:58: Warning: NumericString is a built-in ASN.1 type. ........ This went into the expected endless loop. One core hit 100% and it was difficult to interact with the desktop. Killed the process eventually. $ urpmq --whatrequires-recursive lib64tasn1_6 | sort -u > tasn $ lines tasn 10689 Looks like this is quite important. Ran MageiaUpdate to update the test packages. $ rpm -qa | grep tasn1 lib64tasn1_6-4.14-1.mga7 lib64tasn1-devel-4.14-1.mga7 libtasn1-tools-4.14-1.mga7 $ asn1Parser -c Bug1-POC Bug1-POC:23: Warning: UniversalString is a built-in ASN.1 type. Bug1-POC:56: Warning: VisibleString is a built-in ASN.1 type. Bug1-POC:58: Warning: NumericString is a built-in ASN.1 type. [...] Bug1-POC:171: Warning: PrintableString is a built-in ASN.1 type. libtasn1 ERROR: RECURSION No endless loop - good result. Actually testing this is problematic, not knowing under what circumstances these 10000 or so packages use libtasn1. Ran several under trace. alsaplayer yielded nothing. $ strace -o ping.trace ansible -k -i ~/tmp/hosts all -m ping $ grep tasn1 ping.trace nothing $ sudo strace -o apache systemctl status httpd $ grep tasn1 apache nothing $ strace -o blender.trace blender openat(AT_FDCWD, "/lib64/libtasn1.so.6", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libtasn1.so.6.5.6", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib64/libtasn1.so.6.5.6", O_RDONLY) = 4 blender seemed to be working fine. $ strace -o caja.trace caja $ grep tasn1 caja.trace nothing Well at least blender accesses it. Giving this an OK on that basis and the result of the POC test.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0359.html
Status: NEW => RESOLVEDResolution: (none) => FIXED