Bug 27710 - perl-Convert-ASN1 new security issue CVE-2013-7488
Summary: perl-Convert-ASN1 new security issue CVE-2013-7488
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2020-12-02 17:31 CET by David Walser
Modified: 2021-03-07 17:23 CET (History)
3 users (show)

See Also:
Source RPM: perl-Convert-ASN1-0.270.0-6.mga7.src.rpm
CVE: CVE-2013-7488
Status comment:


Attachments

Description David Walser 2020-12-02 17:31:39 CET
Fedora has issued an advisory today (December 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ONNQSW4SSKMG5RUEFZJZA5T5R2WXEGQF/

Mageia 7 is also affected.
David Walser 2020-12-02 17:31:49 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2020-12-02 18:09:45 CET
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => shlomif

Comment 2 Nicolas Lécureuil 2020-12-27 12:35:31 CET
fixed in cauldron.

CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2020-12-27 13:08:17 CET
pushed in mga7

src:
    perl-Convert-ASN1-0.270.0-6.1.mga7

Assignee: shlomif => qa-bugs

Comment 4 David Walser 2020-12-27 17:12:47 CET
Advisory:
========================

Updated perl-Convert-ASN1 package fixes security vulnerability:

perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows
remote attackers to cause an infinite loop via unexpected input
(CVE-2013-7488).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7488
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ONNQSW4SSKMG5RUEFZJZA5T5R2WXEGQF/
========================

Updated packages in core/updates_testing:
========================
perl-Convert-ASN1-0.270.0-6.1.mga7

from perl-Convert-ASN1-0.270.0-6.1.mga7.src.rpm
Comment 5 Len Lawrence 2020-12-30 18:26:42 CET
mga7, x64

Installed the module.

CVE-2013-7488
https://github.com/gbarr/perl-Convert-ASN1/issues/14
$ cat 27710.pl
#!/usr/bin/perl
use Convert::ASN1;
my $asn = Convert::ASN1->new;
$asn->prepare(q<
  [APPLICATION 7] SEQUENCE {
    int INTEGER
  }
>);
my $out;
$out = $asn->decode( pack("H*", "dfccd3fde3") );
$out = $asn->decode( pack("H*", "b0805f92cb") );

Running this script causes an endless stream of messages.
$ perl 27710.pl
.....
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/vendor_perl/Convert/ASN1/_decode.pm line 692.
substr outside of string at /usr/share/perl5/vendor_perl/Convert^C

Updated the package.
Ran the PoC again.
This still caused an endless loop so the problem has not been fixed.
$ rpm -q perl-Convert-ASN1
perl-Convert-ASN1-0.270.0-6.1.mga7

CC: (none) => tarazed25

Comment 6 Len Lawrence 2020-12-30 19:01:17 CET
With reference to comment 5.
Used madb to find the x86_64 unified diffs on the source package but don't know how to read it apart from seeing that a patch was applied.
Len Lawrence 2020-12-30 19:02:33 CET

Keywords: (none) => feedback

Comment 7 Aurelien Oudelet 2021-02-04 17:39:12 CET
Status?

Package patched according to Comment 3 but, PoC from Comment 5 does the same issue...

Reassigning back, added current SRPM in field.

Source RPM: perl-Convert-ASN1-0.270.0-7.mga8.src.rpm => perl-Convert-ASN1-0.270.0-6.mga7.src.rpm
Assignee: qa-bugs => mageia
CVE: (none) => CVE-2013-7488

Comment 8 Aurelien Oudelet 2021-02-19 16:51:09 CET
Status?

Assignee: mageia => qa-bugs

Aurelien Oudelet 2021-03-01 17:11:02 CET

Status: NEW => NEEDINFO

Aurelien Oudelet 2021-03-07 17:23:09 CET

Status: NEEDINFO => NEW


Note You need to log in before you can comment on or make changes to this bug.