Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => shlomif

fixed in cauldron.

CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

pushed in mga7

src:
    perl-Convert-ASN1-0.270.0-6.1.mga7

Assignee: shlomif => qa-bugs

Advisory:
========================

Updated perl-Convert-ASN1 package fixes security vulnerability:

perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows
remote attackers to cause an infinite loop via unexpected input
(CVE-2013-7488).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7488
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ONNQSW4SSKMG5RUEFZJZA5T5R2WXEGQF/
========================

Updated packages in core/updates_testing:
========================
perl-Convert-ASN1-0.270.0-6.1.mga7

from perl-Convert-ASN1-0.270.0-6.1.mga7.src.rpm

mga7, x64

Installed the module.

CVE-2013-7488
https://github.com/gbarr/perl-Convert-ASN1/issues/14
$ cat 27710.pl
#!/usr/bin/perl
use Convert::ASN1;
my $asn = Convert::ASN1->new;
$asn->prepare(q<
  [APPLICATION 7] SEQUENCE {
    int INTEGER
  }
>);
my $out;
$out = $asn->decode( pack("H*", "dfccd3fde3") );
$out = $asn->decode( pack("H*", "b0805f92cb") );

Running this script causes an endless stream of messages.
$ perl 27710.pl
.....
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert^C

Updated the package.
Ran the PoC again.
This still caused an endless loop so the problem has not been fixed.
$ rpm -q perl-Convert-ASN1
perl-Convert-ASN1-0.270.0-6.1.mga7

CC: (none) => tarazed25

With reference to comment 5.
Used madb to find the x86_64 unified diffs on the source package but don't know how to read it apart from seeing that a patch was applied.

Status?

Package patched according to Comment 3 but, PoC from Comment 5 does the same issue...

Reassigning back, added current SRPM in field.

Assignee: qa-bugs => mageia
Source RPM: perl-Convert-ASN1-0.270.0-7.mga8.src.rpm => perl-Convert-ASN1-0.270.0-6.mga7.src.rpm
CVE: (none) => CVE-2013-7488

Status?

Assignee: mageia => qa-bugs

Can someone test this in Cauldron to see if the bug is fixed or still valid there?

Keywords: feedback => (none)

Confirmed this is still broken in Mageia 8, but fixed in Cauldron.  Will have to cancel the Mageia 7 update, but will still need to fix Mageia 8.

Version: 7 => 8
Assignee: qa-bugs => mageia
Source RPM: perl-Convert-ASN1-0.270.0-6.mga7.src.rpm => perl-Convert-ASN1-0.270.0-8.mga8.src.rpm

strange. I just took a look, and we have the same patches debian used.

Yeah it looks like patching doesn't work and we just have to upgrade it.

ok i update it.


src:
    - perl-Convert-ASN1-0.310.0-1.mga8

Assignee: mageia => qa-bugs

Before:
$ perl 27710.pl
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692
[...] (repeated infinitely)

After:
$ perl 27710.pl
$

Looks good on Mageia 8 x86_64 (and it's a noarch package).

Whiteboard: (none) => MGA8-64-OK

Installs OK over existing version.

MGA8-64-OK

Validating.
Advisory in comment 4 and SRPM in comment 13.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0363.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED