31039 – libtasn1 new security issue CVE-2021-46848

Bug 31039 - libtasn1 new security issue CVE-2021-46848

Summary: libtasn1 new security issue CVE-2021-46848

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-10-27 14:32 CEST by David Walser
Modified:	2022-11-08 20:45 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	libtasn1-4.16.0-4.mga8.src.rpm
CVE:	CVE-2021-46848
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-10-27 14:32:40 CEST

SUSE has issued an advisory on October 26:
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012715.html

The issue is fixed upstream in 4.19.0.

Mageia 8 is also affected.

David Walser 2022-10-27 14:33:06 CEST

Status comment: (none) => Fixed upstream in 4.19.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-10-27 14:37:36 CEST

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UOQWW4AUK2TNVOVQ3OANN2IEBVJFBHJ4/

Comment 2 David Walser 2022-10-27 14:52:47 CEST

libtasn1-4.19.0-1.mga9 uploaded for Cauldron.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 3 Lewis Smith 2022-10-29 22:19:23 CEST

Thanks David, that should help.

No particular packager in sight for this, so assigning globally. Note it is now M8 only.

Assignee: bugsquad => pkg-bugs

Comment 4 David Walser 2022-11-01 13:38:53 CET

Ubuntu has issued an advisory for this on October 31:
https://ubuntu.com/security/notices/USN-5707-1

Comment 5 Nicolas Salguero 2022-11-02 15:28:09 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. (CVE-2021-46848)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46848
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012715.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UOQWW4AUK2TNVOVQ3OANN2IEBVJFBHJ4/
https://ubuntu.com/security/notices/USN-5707-1
========================

Updated packages in core/updates_testing:
========================
lib(64)tasn1_6-4.16.0-4.1.mga8
lib(64)tasn1-devel-4.16.0-4.1.mga8
libtasn1-tools-4.16.0-4.1.mga8

from SRPM:
libtasn1-4.16.0-4.1.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-46848
Status comment: Fixed upstream in 4.19.0 => (none)
Source RPM: libtasn1-4.18.0-2.mga9.src.rpm => libtasn1-4.16.0-4.mga8.src.rpm

Comment 6 Herman Viaene 2022-11-05 11:45:29 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 25744, I installed blender. i was able to open a new project, select 2D and draw some objects. Tried to follow a tutorial, but my lack of experience og graphical matters is blatant, and this laptop is underdimensioned, I checked with strace and can confirm libtasn was called upon.
So OK with me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2022-11-05 13:14:51 CET

Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-08 15:38:39 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2022-11-08 20:45:56 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0414.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.