Bug 5128 - libtasn1 new security issue CVE-2012-1569
Summary: libtasn1 new security issue CVE-2012-1569
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-03-27 13:12 CEST by David Walser
Modified: 2012-05-01 20:31 CEST (History)
5 users (show)

See Also:
Source RPM: libtasn1-2.7-2.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-03-27 13:12:22 CEST
Mandriva has issued this advisory today (March 27):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:039

Cauldron is not vulnerable (it has 2.12).
Comment 1 David Walser 2012-03-27 13:28:33 CEST
Patched package uploaded.

Advisory:
========================

Updated libtasn1 packages fix security vulnerability:

The asn1_get_length_der function in decoding.c in GNU Libtasn1 before
2.12, as used in GnuTLS before 3.0.16 and other products, does not
properly handle certain large length values, which allows remote
attackers to cause a denial of service (heap memory corruption and
application crash) or possibly have unspecified other impact via a
crafted ASN.1 structure (CVE-2012-1569).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:039
========================

Updated packages in core/updates_testing:
========================
libtasn1_3-2.7-2.1.mga1
libtasn1-tools-2.7-2.1.mga1
libtasn1-devel-2.7-2.1.mga1

from libtasn1-2.7-2.1.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Dave Hodgins 2012-04-04 21:02:17 CEST
For testing libtasn1_3, I'm using tigervnc and
tigervnc-server, which are working fine.

For libtasn1-tools, I'm looking at
http://en.wikipedia.org/wiki/Certificate_signing_request#CSR_Example

The openssl asn1parse -in test.asn1 works, as expected,
however running
asn1Parser test.asn1 returns ...
asn1Parser: test.asn1:1: parse error near '-'

Looks like either I don't understand how to test this,
or it isn't working.  Most likely I don't understand.

Can you provide a proper test procedure for the tools?

CC: (none) => davidwhodgins

David Walser 2012-04-04 23:28:43 CEST

CC: (none) => fundawang

David Walser 2012-04-04 23:28:53 CEST

CC: (none) => guillomovitch

Comment 3 David Walser 2012-04-04 23:29:25 CEST
Funda, Guillaume, do you know of a way to test libtasn1 (See Comment 2)?
Comment 4 Dave Hodgins 2012-04-05 02:39:24 CEST
Actually, how to test asn1Coding, asn1Decoding, and  asn1Parser?
Comment 5 Guillaume Rousse 2012-04-05 10:38:02 CEST
Testing some binaries against some sample ASN content will only ensure you don't introduce regressions in the update, but only in the code used by those samples. And you also need to get sure those samples were parsed correctly before the update.

Testing real usage of softwares using libtasn will just ensure than your your current usage sofar was not affected.

My point is just than without minimal testing coverage metrics, usefulness of multiplicating test cases is quite difficult to assert, and defining a 'proper test procedure' is nearly impossible. So I'd rather get the practical approach here. Was the test.asn1 sample parsable with asn1Parser before the update ?
Comment 6 Dave Hodgins 2012-04-06 05:22:18 CEST
Not by the asn1Parser, although it works with the openssl asn1parse.

I'm having trouble finding a test case that does work with the
asn1Parser, as most search results are leading to openssl
tests.

Of the packages that require libtasn1_3, I've tested tigervnc,
tigervnc-server, and hardinfo, and they are all working find.

Do you think that's adequate testing for this update?
Comment 7 Guillaume Rousse 2012-04-06 09:58:54 CEST
I think that's probably more than was done for release...
Comment 8 Dave Hodgins 2012-04-06 10:07:18 CEST
Ok. Thanks.  We still need x86-64 bit testing for this security update.
Comment 9 David Walser 2012-04-21 15:28:50 CEST
I'm guessing the bugzilla mail to qa-bugs didn't get through for a time, so just pinging QA if you hadn't seen this one yet.  If you already knew about it, sorry for the noise.
Comment 10 claire robinson 2012-04-24 17:55:20 CEST
x86_64

Following instructions here..

http://www.gnu.org/software/libtasn1/manual/html_node/Invoking-asn1Coding.html

Saved first file as pkix.asn and second file as assign.asn1

$ asn1Coding pkix.asn assign.asn1
Parse: done.

var=dp, value=PKIX1.Dss-Sig-Value
var=r, value=42
var=s, value=47

name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f

Coding: SUCCESS

-----------------
Number of bytes=8
30 06 02 01 2a 02 01 2f
-----------------

OutputFile=assign.out

Writing: done.


Then info from here..

http://www.gnu.org/software/libtasn1/manual/html_node/Invoking-asn1Parser.html

$ asn1Parser pkix.asn
Done.

Generates pkix_asn1_tab.c which contains..

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <libtasn1.h>

const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
  { "PKIX1", 536875024, NULL },
  { NULL, 1073741836, NULL },
  { "Dss-Sig-Value", 536870917, NULL },
  { "r", 1073741827, NULL },
  { "s", 3, NULL },
  { NULL, 0, NULL }
};

Then following..

http://www.gnu.org/software/libtasn1/manual/html_node/Invoking-asn1Decoding.html

$ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value
Parse: done.

Decoding: SUCCESS

DECODING RESULT:
name:NULL  type:SEQUENCE
  name:r  type:INTEGER  value:0x2a
  name:s  type:INTEGER  value:0x2f

Not yet tested with tigervnc
Comment 11 claire robinson 2012-05-01 10:21:54 CEST
As there were no errors during these tests I'm going to validate.

Please see comment 1 for advisory and srpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 12 Thomas Backlund 2012-05-01 20:31:03 CEST
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.