Candidate: CVE-2019-17362
PublicDate: 2019-10-09 01:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17362
 https://github.com/libtom/libtomcrypt/issues/507
 https://github.com/libtom/libtomcrypt/pull/508
 https://lists.debian.org/debian-lts-announce/2019/10/msg00010.html
 https://vuldb.com/?id.142995
Description:
 In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in
 der_decode_utf8_string.c) does not properly detect certain invalid UTF-8
 sequences. This allows context-dependent attackers to cause a denial of
 service (out-of-bounds read and crash) or read information from other
 memory locations via carefully crafted DER-encoded data.
Ubuntu-Description:
 It was discovered that LibTomCrypt incorrectly handled certain inputs. An
 attacker could possibly use this issue to cause a denial of service or read
 sensitive information.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H [9.1 CRITICAL]


Patches_libtomcrypt:
upstream_libtomcrypt: released (1.17-6+deb8u1)
precise/esm_libtomcrypt: DNE
trusty_libtomcrypt: ignored (out of standard support)
trusty/esm_libtomcrypt: needed
xenial_libtomcrypt: ignored (end of standard support, was needed)
bionic_libtomcrypt: needed
disco_libtomcrypt: ignored (reached end-of-life)
eoan_libtomcrypt: ignored (reached end-of-life)
focal_libtomcrypt: not-affected (1.18.2-3)
groovy_libtomcrypt: not-affected (1.18.2-3)
hirsute_libtomcrypt: not-affected (1.18.2-3)
impish_libtomcrypt: not-affected (1.18.2-3)
jammy_libtomcrypt: not-affected (1.18.2-3)
devel_libtomcrypt: not-affected (1.18.2-3)