Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 20 Mar 2012 10:54:11 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Stefan Cornelius <scorneli@...hat.com>
Subject: Re: CVE request: libtasn1 "asn1_get_length_der()"
 DER decoding issue

On 03/20/2012 06:40 AM, Stefan Cornelius wrote:
> Hi,
> 
> libtasn1 version 2.12 was released fixing the following issue:
> 
>   - Corrected DER decoding issue (reported by Matthew Hall).
>     Added self check to detect the problem, see tests/Test_overflow.c.
>     This problem can lead to at least remotely triggered crashes, see
>     further analysis on the libtasn1 mailing list.
> 
> Further issue details from Simon Josefsson [1]:
> 
> I want to mention that there were no security problem in the
> asn1_get_length_der function.  It was working properly and as documented
> before.  The security problem was the callers not checking that the
> returned values were reasonable, i.e., that the output length was less
> than or equal to the total length of the buffer.  However, fixing all
> callers of this function would be a huge amount of work.  Instead, we
> made asn1_get_length_der return an error code when the situation
> occured, to protect callers.  This fix could be the wrong thing if some
> code out there calls the function with a der_len parameter that is
> smaller than the entire DER structure length.  However, we are hoping
> that is not in any significant use, and that overall security will be
> improved by having the function sanity check its output rather than
> letting the caller do that.  This was a judgement call.
> 
> [1] http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54
> 
> It appears like GnuTLS is affected as well (but probably does not need a
> separate CVE at this point):
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5952/
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957/
> 
> -- References --
> 
> Release announcement:
> http://article.gmane.org/gmane.comp.gnu.libtasn1.general/53
> 
> Small analysis + patch:
> http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54
> 
> Red Hat bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=804920
> 
> Thanks and kind regards,

Please use CVE-2012-1569 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ