Date: Tue, 20 Mar 2012 10:54:11 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Stefan Cornelius <scorneli@...hat.com> Subject: Re: CVE request: libtasn1 "asn1_get_length_der()" DER decoding issue On 03/20/2012 06:40 AM, Stefan Cornelius wrote: > Hi, > > libtasn1 version 2.12 was released fixing the following issue: > > - Corrected DER decoding issue (reported by Matthew Hall). > Added self check to detect the problem, see tests/Test_overflow.c. > This problem can lead to at least remotely triggered crashes, see > further analysis on the libtasn1 mailing list. > > Further issue details from Simon Josefsson : > > I want to mention that there were no security problem in the > asn1_get_length_der function. It was working properly and as documented > before. The security problem was the callers not checking that the > returned values were reasonable, i.e., that the output length was less > than or equal to the total length of the buffer. However, fixing all > callers of this function would be a huge amount of work. Instead, we > made asn1_get_length_der return an error code when the situation > occured, to protect callers. This fix could be the wrong thing if some > code out there calls the function with a der_len parameter that is > smaller than the entire DER structure length. However, we are hoping > that is not in any significant use, and that overall security will be > improved by having the function sanity check its output rather than > letting the caller do that. This was a judgement call. > >  http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54 > > It appears like GnuTLS is affected as well (but probably does not need a > separate CVE at this point): > http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5952/ > http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957/ > > -- References -- > > Release announcement: > http://article.gmane.org/gmane.comp.gnu.libtasn1.general/53 > > Small analysis + patch: > http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54 > > Red Hat bug: > https://bugzilla.redhat.com/show_bug.cgi?id=804920 > > Thanks and kind regards, Please use CVE-2012-1569 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ