Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 20 Mar 2012 10:54:11 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Stefan Cornelius <scorneli@...hat.com>
Subject: Re: CVE request: libtasn1 "asn1_get_length_der()"
 DER decoding issue

On 03/20/2012 06:40 AM, Stefan Cornelius wrote:
> Hi,
> 
> libtasn1 version 2.12 was released fixing the following issue:
> 
>   - Corrected DER decoding issue (reported by Matthew Hall).
>     Added self check to detect the problem, see tests/Test_overflow.c.
>     This problem can lead to at least remotely triggered crashes, see
>     further analysis on the libtasn1 mailing list.
> 
> Further issue details from Simon Josefsson [1]:
> 
> I want to mention that there were no security problem in the
> asn1_get_length_der function.  It was working properly and as documented
> before.  The security problem was the callers not checking that the
> returned values were reasonable, i.e., that the output length was less
> than or equal to the total length of the buffer.  However, fixing all
> callers of this function would be a huge amount of work.  Instead, we
> made asn1_get_length_der return an error code when the situation
> occured, to protect callers.  This fix could be the wrong thing if some
> code out there calls the function with a der_len parameter that is
> smaller than the entire DER structure length.  However, we are hoping
> that is not in any significant use, and that overall security will be
> improved by having the function sanity check its output rather than
> letting the caller do that.  This was a judgement call.
> 
> [1] http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54
> 
> It appears like GnuTLS is affected as well (but probably does not need a
> separate CVE at this point):
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5952/
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957/
> 
> -- References --
> 
> Release announcement:
> http://article.gmane.org/gmane.comp.gnu.libtasn1.general/53
> 
> Small analysis + patch:
> http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54
> 
> Red Hat bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=804920
> 
> Thanks and kind regards,

Please use CVE-2012-1569 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.