CVE-2012-1569

Priority
Medium
Description
The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12,
as used in GnuTLS before 3.0.16 and other products, does not properly
handle certain large length values, which allows remote attackers to cause
a denial of service (heap memory corruption and application crash) or
possibly have unspecified other impact via a crafted ASN.1 structure.
References
Bugs
Notes
jdstrand> per Simon Josefsson (upstream), asn1_get_length_der() does not
itself have the vulnerability, but that callers wouldn't check its return
code which could cause a DoS. It was deemed easier for asn1_get_length_der()
to throw an error rather than changing all callers.
jdstrand> archive grep results for asn1_get_length_der():
https://chinstrap.canonical.com/~jamie/libtasn1.log
mdeslaur> gnutls test: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=88138dc44fc00f2887956d71e0febd2656e1fd9f
mdeslaur> libtasn test:
mdeslaur> http://git.savannah.gnu.org/cgit/libtasn1.git/plain/tests/Test_overflow.c
Assigned-to
mdeslaur
Package
Upstream:released (2.12-1)
Ubuntu 8.04 LTS (Hardy Heron):released (1.1-1ubuntu0.1)
Ubuntu 10.04 LTS (Lucid Lynx):released (2.4-1ubuntu0.1)
Ubuntu 11.04 (Natty Narwhal):released (2.7-1ubuntu1.1)
Ubuntu 11.10 (Oneiric Ocelot):released (2.9-4ubuntu0.1)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.10-1ubuntu1.1)
Ubuntu 12.10 (Quantal Quetzal):not-affected (2.12-1)
Patches:
Upstream:http://article.gmane.org/gmane.comp.gnu.libtasn1.general/54
Vendor:http://www.debian.org/security/2012/dsa-2440
More Information

Valid XHTML 1.0 Strict

Updated: 2012-06-01 15:22:43 UTC (commit 5347)