Mandriva has issued this advisory today (March 27): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:039 Cauldron is not vulnerable (it has 2.12).
Patched package uploaded. Advisory: ======================== Updated libtasn1 packages fix security vulnerability: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure (CVE-2012-1569). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:039 ======================== Updated packages in core/updates_testing: ======================== libtasn1_3-2.7-2.1.mga1 libtasn1-tools-2.7-2.1.mga1 libtasn1-devel-2.7-2.1.mga1 from libtasn1-2.7-2.1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
For testing libtasn1_3, I'm using tigervnc and tigervnc-server, which are working fine. For libtasn1-tools, I'm looking at http://en.wikipedia.org/wiki/Certificate_signing_request#CSR_Example The openssl asn1parse -in test.asn1 works, as expected, however running asn1Parser test.asn1 returns ... asn1Parser: test.asn1:1: parse error near '-' Looks like either I don't understand how to test this, or it isn't working. Most likely I don't understand. Can you provide a proper test procedure for the tools?
CC: (none) => davidwhodgins
CC: (none) => fundawang
CC: (none) => guillomovitch
Funda, Guillaume, do you know of a way to test libtasn1 (See Comment 2)?
Actually, how to test asn1Coding, asn1Decoding, and asn1Parser?
Testing some binaries against some sample ASN content will only ensure you don't introduce regressions in the update, but only in the code used by those samples. And you also need to get sure those samples were parsed correctly before the update. Testing real usage of softwares using libtasn will just ensure than your your current usage sofar was not affected. My point is just than without minimal testing coverage metrics, usefulness of multiplicating test cases is quite difficult to assert, and defining a 'proper test procedure' is nearly impossible. So I'd rather get the practical approach here. Was the test.asn1 sample parsable with asn1Parser before the update ?
Not by the asn1Parser, although it works with the openssl asn1parse. I'm having trouble finding a test case that does work with the asn1Parser, as most search results are leading to openssl tests. Of the packages that require libtasn1_3, I've tested tigervnc, tigervnc-server, and hardinfo, and they are all working find. Do you think that's adequate testing for this update?
I think that's probably more than was done for release...
Ok. Thanks. We still need x86-64 bit testing for this security update.
I'm guessing the bugzilla mail to qa-bugs didn't get through for a time, so just pinging QA if you hadn't seen this one yet. If you already knew about it, sorry for the noise.
x86_64 Following instructions here.. http://www.gnu.org/software/libtasn1/manual/html_node/Invoking-asn1Coding.html Saved first file as pkix.asn and second file as assign.asn1 $ asn1Coding pkix.asn assign.asn1 Parse: done. var=dp, value=PKIX1.Dss-Sig-Value var=r, value=42 var=s, value=47 name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f Coding: SUCCESS ----------------- Number of bytes=8 30 06 02 01 2a 02 01 2f ----------------- OutputFile=assign.out Writing: done. Then info from here.. http://www.gnu.org/software/libtasn1/manual/html_node/Invoking-asn1Parser.html $ asn1Parser pkix.asn Done. Generates pkix_asn1_tab.c which contains.. #if HAVE_CONFIG_H # include "config.h" #endif #include <libtasn1.h> const ASN1_ARRAY_TYPE pkix_asn1_tab[] = { { "PKIX1", 536875024, NULL }, { NULL, 1073741836, NULL }, { "Dss-Sig-Value", 536870917, NULL }, { "r", 1073741827, NULL }, { "s", 3, NULL }, { NULL, 0, NULL } }; Then following.. http://www.gnu.org/software/libtasn1/manual/html_node/Invoking-asn1Decoding.html $ asn1Decoding pkix.asn assign.out PKIX1.Dss-Sig-Value Parse: done. Decoding: SUCCESS DECODING RESULT: name:NULL type:SEQUENCE name:r type:INTEGER value:0x2a name:s type:INTEGER value:0x2f Not yet tested with tigervnc
As there were no errors during these tests I'm going to validate. Please see comment 1 for advisory and srpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
Update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED