libtasn1-6: CVE-2017-6891

Debian Bug report logs - #863186
libtasn1-6: CVE-2017-6891

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libtasn1-6: CVE-2017-6891

Date: Tue, 23 May 2017 06:57:49 +0200

Source: libtasn1-6
Version: 4.2-3
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for libtasn1-6.

CVE-2017-6891[0]:
| Two errors in the "asn1_find_node()" function (lib/parser_aux.c)
| within GnuTLS libtasn1 version 4.10 can be exploited to cause a
| stacked-based buffer overflow by tricking a user into processing a
| specially crafted assignments file via the e.g. asn1Coding utility.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-6891
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6891
[1] https://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=5520704d075802df25ce4ffccc010ba1641bd484

Regards,
Salvatore

Message #10 received at 863186@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 863186@bugs.debian.org

Subject: Re: Bug#863186: libtasn1-6: CVE-2017-6891

Date: Wed, 24 May 2017 12:46:35 +0200

Control: severity -1 serious

Rationale: got fixed in a DSA, and to avoid the regression should be
RC for stretch.

Regards,
Salvatore

Message #17 received at 863186@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 863186@bugs.debian.org

Subject: libtasn1-6: diff for NMU version 4.10-1.1

Date: Thu, 25 May 2017 10:41:37 +0200

[Message part 1 (text/plain, inline)]

Control: tags 863186 + pending

Dear maintainer,

I've prepared an NMU for libtasn1-6 (versioned as 4.10-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer (or reschedule to earlier, or cancel if you
would like to do an upload on your own).

Regards,
Salvatore

[libtasn1-6-4.10-1.1-nmu.diff (text/x-diff, attachment)]

Message #24 received at 863186@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 863186@bugs.debian.org

Subject: Re: Bug#863186: libtasn1-6: diff for NMU version 4.10-1.1

Date: Sun, 28 May 2017 18:47:55 +0200

[Message part 1 (text/plain, inline)]

On 2017-05-25 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Control: tags 863186 + pending

> Dear maintainer,

> I've prepared an NMU for libtasn1-6 (versioned as 4.10-1.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer (or reschedule to earlier, or cancel if you
> would like to do an upload on your own).
[...]

Thank you, rescheduled to 0-day.

cu Andreas

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 863186@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: 863186@bugs.debian.org

Subject: [ftpmaster@ftp-master.debian.org: Processing of dcut._ametzler_debian_org_.1495989962.26313.commands]

Date: Sun, 28 May 2017 19:00:35 +0200

----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----
Date: Sun, 28 May 2017 16:59:01 +0000
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: ametzler@debian.org
Subject: Processing of dcut._ametzler_debian_org_.1495989962.26313.commands
Message-Id: <E1dF1Wv-0003wq-Q1@usper.debian.org>

Log of processing your commands file /dcut._ametzler_debian_org_.1495989962.26313.commands:

> reschedule libtasn1-6_4.10-1.1_allonly.changes 0-day
libtasn1-6_4.10-1.1_allonly.changes moved to 0-day
libtasn1-6_4.10-1.1.dsc moved to 0-day
libtasn1-6_4.10-1.1.debian.tar.xz moved to 0-day
libtasn1-3-bin_4.10-1.1_all.deb moved to 0-day
libtasn1-doc_4.10-1.1_all.deb moved to 0-day

Greetings,

	Your Debian queue daemon (running on host usper.debian.org)
----- End forwarded message -----

Message #34 received at 863186-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 863186-close@bugs.debian.org

Subject: Bug#863186: fixed in libtasn1-6 4.10-1.1

Date: Sun, 28 May 2017 17:03:35 +0000

Source: libtasn1-6
Source-Version: 4.10-1.1

We believe that the bug you reported is fixed in the latest version of
libtasn1-6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libtasn1-6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 May 2017 10:25:56 +0200
Source: libtasn1-6
Binary: libtasn1-6-dev libtasn1-doc libtasn1-6 libtasn1-bin libtasn1-3-bin
Architecture: all source
Version: 4.10-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 863186
Description: 
 libtasn1-3-bin - transitional libtasn1-3-bin package
 libtasn1-6 - Manage ASN.1 structures (runtime)
 libtasn1-6-dev - Manage ASN.1 structures (development)
 libtasn1-bin - Manage ASN.1 structures (binaries)
 libtasn1-doc - Manage ASN.1 structures (documentation)
Changes:
 libtasn1-6 (4.10-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * asn1_find_node: added safety check on asn1_find_node() (CVE-2017-6891)
     (Closes: #863186)
Checksums-Sha1: 
 0abdf466267ebdab8f19bd83203bb8fa5d3660af 2586 libtasn1-6_4.10-1.1.dsc
 d901e81f3d552be26f13f5811606b743f1b4f24c 58400 libtasn1-6_4.10-1.1.debian.tar.xz
 25cccadaf153cf9a04056155e39bb52d5db1733c 18162 libtasn1-3-bin_4.10-1.1_all.deb
 9baff143c0369a6b1e54bfee694f6ef005241657 315412 libtasn1-doc_4.10-1.1_all.deb
Checksums-Sha256: 
 1ace0b64d79a7c79d00d9f7719ce56c5274fbfd253681f01b303badb09242c1b 2586 libtasn1-6_4.10-1.1.dsc
 275f7e74697ca1ef085dab5e41fe82d0c9ee898d4f6f4cd2873b09099850e939 58400 libtasn1-6_4.10-1.1.debian.tar.xz
 adb106edcc4e37888451391c93a5b5a8d164eef3ad31b5b0f06623900489d53c 18162 libtasn1-3-bin_4.10-1.1_all.deb
 88cd69b193552e3f823535c3a79afd6f5dfce55195f31770f8e432c046fbaaa0 315412 libtasn1-doc_4.10-1.1_all.deb
Files: 
 4ab385b11a417d6a9fead1ba189f7433 2586 libs standard libtasn1-6_4.10-1.1.dsc
 1cefc4fb68676d72837aad4114a3234f 58400 libs standard libtasn1-6_4.10-1.1.debian.tar.xz
 25d5b68a99bdf7e4167853e02c4bf7bf 18162 oldlibs extra libtasn1-3-bin_4.10-1.1_all.deb
 83cb1fd3a80a991410f85985e54f49a2 315412 doc extra libtasn1-doc_4.10-1.1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkml9lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ed+kQAJkR7qw/FtknpglN7/0wEtWiUhoRgt+g
kmc00VJUqEqf4bL/B0gqk9VNIf5BJD5V/xG6+hxfQro2OQ+yJfFuswVF5PT28St9
NzzLG7jOIeGJcoDEW44jhZO4mqW/lb0X+eOOlsYC0nOrxdQVygI+i1mUaSGTKEmB
Lg4qOm1BT6Ii5xB62iC1OT0rFjoG/lOMLTMN5HIfOl38Z9svmZJ6cVTQkBdTBipE
reiF1FwqSH4dc0Ih0nr2z7kBIfvpWRlhqI2H3XQiyX5T7b5ld6CW6DmqBtKGgrLs
CH3Ka+JC2CwEM1Pjypof72GnPuGZKKkE+Yh+dFuG6sG2ZPuKt/qseRE5KvuHjAjJ
WeuG4j/f25sy0yEw/UlLCmrSvzUqO3guhZa38HfTDQiB900NU2BSacpoFNFaj+lE
i86ZGvVlYbNeFB/AAgSVpbyvPJYJwTsmPZ0OwybIM2rJW2n3tuKXjMdW1M3yV+kA
V9u4/pSiwy/3amUnsrbVhN1pL1zHPchhQVtOFBEHxKOSaAnOasgs4H6FMuMGXoXK
ffwGyLH6ONOqIu1AWViCNL4Utwf/dg3YzBrbaO+8ic7s1GFsKavJ8M8zDed110XK
4S8qkXwnQylWoU34mPs3HpFT4/LJCZNAMQBx6vlbBA/2uhi3icrhEe7C1B9wBV9y
cneoVoWLcUUz
=Fm33
-----END PGP SIGNATURE-----

Message #39 received at 863186-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: 863186-close@bugs.debian.org

Subject: Bug#863186: fixed in libtasn1-6 4.2-3+deb8u3

Date: Mon, 29 May 2017 13:47:28 +0000

Source: libtasn1-6
Source-Version: 4.2-3+deb8u3

We believe that the bug you reported is fixed in the latest version of
libtasn1-6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863186@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated libtasn1-6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 23 May 2017 19:01:02 +0200
Source: libtasn1-6
Binary: libtasn1-6-dev libtasn1-doc libtasn1-6-dbg libtasn1-6 libtasn1-bin libtasn1-3-bin
Architecture: source amd64 all
Version: 4.2-3+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description:
 libtasn1-3-bin - transitional libtasn1-3-bin package
 libtasn1-6 - Manage ASN.1 structures (runtime)
 libtasn1-6-dbg - Manage ASN.1 structures (debugging symbols)
 libtasn1-6-dev - Manage ASN.1 structures (development)
 libtasn1-bin - Manage ASN.1 structures (binaries)
 libtasn1-doc - Manage ASN.1 structures (documentation)
Closes: 863186
Changes:
 libtasn1-6 (4.2-3+deb8u3) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Wheezy LTS Team.
   * CVE-2017-6891 (Closes: #863186)
     two errors in the "asn1_find_node()" function (lib/parser_aux.c)
     can be exploited to cause a stacked-based buffer overflow.
Checksums-Sha1:
 bd3e7ea36161f91550666aaef4c617032c5211be 2607 libtasn1-6_4.2-3+deb8u3.dsc
 d2fe4bf12dbdc4d6765a04abbf8ddaf7e9163afa 1866192 libtasn1-6_4.2.orig.tar.gz
 90e17e607492c8c508c54c6768dfd2ee68ab8cbb 59144 libtasn1-6_4.2-3+deb8u3.debian.tar.xz
 4e88435ca76cf3298fd5202d1c6744c5653bdf8f 90824 libtasn1-6-dev_4.2-3+deb8u3_amd64.deb
 b4495d21fdacea3f3a8777738f61c2cd450a2852 305278 libtasn1-doc_4.2-3+deb8u3_all.deb
 27e377eba0abbd1e6b152d07daa06d82794d5f87 109254 libtasn1-6-dbg_4.2-3+deb8u3_amd64.deb
 44245b5d3fab184f670cda413aee7ceb0729441b 49190 libtasn1-6_4.2-3+deb8u3_amd64.deb
 80e2b99982d248dafeb03d76ab4f96df0d3257e3 23038 libtasn1-bin_4.2-3+deb8u3_amd64.deb
 029e4f139e68640ffc80ac072a8876d93b9c086f 10108 libtasn1-3-bin_4.2-3+deb8u3_all.deb
Checksums-Sha256:
 dee600f7bdacd1fa75d40a13425e6c81d36b979fd23aab468000a1bfc18706ba 2607 libtasn1-6_4.2-3+deb8u3.dsc
 693b41cb36c2ac02d5990180b0712a79a591168e93d85f7fcbb75a0a0be4cdbb 1866192 libtasn1-6_4.2.orig.tar.gz
 59ba69bafbe22542f58bc63eab30b70b5ce15673f8b7b8332c21b72e33572d28 59144 libtasn1-6_4.2-3+deb8u3.debian.tar.xz
 89a2c0ffdf5c11cc2dce44aa4dbe9681d66c7d043d0be93bb461edbea0f77e5d 90824 libtasn1-6-dev_4.2-3+deb8u3_amd64.deb
 f25d9141287e29e375364adae1bf35762191951117061eb02ea618622dac9007 305278 libtasn1-doc_4.2-3+deb8u3_all.deb
 4729a31a12a20b2289dbd8e1bff8a973501d3c2003630b7fbc5cd19fb4556416 109254 libtasn1-6-dbg_4.2-3+deb8u3_amd64.deb
 36e01f21f439ede1e6957110798375808303d2c6549236811844bf014add93d0 49190 libtasn1-6_4.2-3+deb8u3_amd64.deb
 7d838e0dc2d2ec47445296156be84fc638d56653890ac90833e20903f90bf92d 23038 libtasn1-bin_4.2-3+deb8u3_amd64.deb
 2f302ee7bf75e033590a465a46ffc378799dfcc53d17ae1646c425d51ead3faa 10108 libtasn1-3-bin_4.2-3+deb8u3_all.deb
Files:
 d34302e885211d3425684b25d847a620 2607 libs standard libtasn1-6_4.2-3+deb8u3.dsc
 414df906df421dee0a5cf7548788d153 1866192 libs standard libtasn1-6_4.2.orig.tar.gz
 bc54e843a173686b4f35e31adac3187b 59144 libs standard libtasn1-6_4.2-3+deb8u3.debian.tar.xz
 bc6dbf1ab81fe92a58a3d79307fcb66e 90824 libdevel optional libtasn1-6-dev_4.2-3+deb8u3_amd64.deb
 f26a2f27f46bdca1adaad8b6b505387d 305278 doc extra libtasn1-doc_4.2-3+deb8u3_all.deb
 6aaae6dd60151ed979be040c3d7f5ca9 109254 debug extra libtasn1-6-dbg_4.2-3+deb8u3_amd64.deb
 a499b50b82bf324aba2f937fd5b3f4ea 49190 libs standard libtasn1-6_4.2-3+deb8u3_amd64.deb
 85609be9b6a14b1f25355bae064a96f9 23038 devel extra libtasn1-bin_4.2-3+deb8u3_amd64.deb
 97c96b45604466f6123490babddb2a1c 10108 oldlibs extra libtasn1-3-bin_4.2-3+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlklVApfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR81CEAChlNI1t8ONiI4XWUl8sjNbQDHXrm0M
utsBy7C737iHkh/ro6REl0VjkXXm2N+dUbYUFZMXetUBhFF10Y+kPp2wXRi/g8zV
TljaHctp2yOH7gkYE5Ca8GnIkF3pKFnAe80Dpwwks9NUJgqqQ1sphjuA4iMTB04D
amK9UV4NbCW/s3YyLBUiZsHeCAn65UKu0XgQX1Y4lPwAtVJCNHMu/Pyibvygckz+
Y6Ovq0snvQADquKjH0/P37LGi6Z5mPAHz3XD3DIPSC3le6jTRPP6pfg4Ct4gSKRD
vv/6ThE1axsS08U/tqRCA/E2n49x4Ef6jwAAhbo6sY4BROCa4xfvz26xz9Ex7BOo
UdtJase1nz+vfvRzeoWr8oqA8dRnvFiihRQmJi+1S4kd+/3AnPRksrdwLkRBY4Zy
QAU4zwBWkVWJxWfDOcDLaY0rgElniAms7gQeTaAbV5aP3sIHxC44SZln5Cz4YvlS
vc1vOw0gbYelLxXZiIPAgsdGEFrbPZkd83HeU8DjTfROtb1rPN2s2p/2zGqoLxFE
T4/F8AQBEDnI7wUG7JtbZXQL1AWahXgjYrcZw+ghE5VvuRtdUsmTUqYhqzWI4g9k
GXrqh8Ss67c1yQ6J8mDGcfOxpiZSJEEYKu4FGy2a/AJ0Ck39Qb6dx5KKzBKqranJ
e3WEXY12z6yg7A==
=f0vu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.