libtasn1-6: CVE-2017-10790

Debian Bug report logs - #867398
libtasn1-6: CVE-2017-10790

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libtasn1-6: CVE-2017-10790

Date: Thu, 06 Jul 2017 14:52:15 +0200

Source: libtasn1-6
Version: 4.2-1
Severity: normal
Tags: security upstream

Hi,

the following vulnerability was published for libtasn1-6, filling the
bug to track the issue, but the impact is disputable.

CVE-2017-10790[0]:
| The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes
| a NULL pointer dereference and crash when reading crafted input that
| triggers assignment of a NULL value within an asn1_node structure. It
| may lead to a remote denial of service attack.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10790
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790
[1] https://bugzilla.novell.com/show_bug.cgi?id=1047002
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1464141

Regards,
Salvatore

Message #10 received at 867398@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 867398@bugs.debian.org

Subject: libtasn1-6: diff for NMU version 4.12-2.1

Date: Tue, 25 Jul 2017 07:14:15 +0200

[Message part 1 (text/plain, inline)]

Control: tags 867398 + patch
Control: tags 867398 + pending

Hi Andreas,

I've prepared an NMU for libtasn1-6 (versioned as 4.12-2.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer. I still agree the fix is not urgent, but while
looking for the fixing commit, I produced builts, so proposed the NMU.
I can happily drop it if you feel it's not needed. OTOH if unstable is
fixed an update for a future point release for both jessie and stretch
would be good.

Regards,
Salvatore

[libtasn1-6-4.12-2.1-nmu.diff (text/x-diff, attachment)]

Message #19 received at 867398-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 867398-close@bugs.debian.org

Subject: Bug#867398: fixed in libtasn1-6 4.12-2.1

Date: Tue, 25 Jul 2017 17:19:24 +0000

Source: libtasn1-6
Source-Version: 4.12-2.1

We believe that the bug you reported is fixed in the latest version of
libtasn1-6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libtasn1-6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 25 Jul 2017 07:04:58 +0200
Source: libtasn1-6
Binary: libtasn1-6-dev libtasn1-doc libtasn1-6 libtasn1-bin libtasn1-3-bin
Architecture: source
Version: 4.12-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 867398
Description: 
 libtasn1-3-bin - transitional libtasn1-3-bin package
 libtasn1-6 - Manage ASN.1 structures (runtime)
 libtasn1-6-dev - Manage ASN.1 structures (development)
 libtasn1-bin - Manage ASN.1 structures (binaries)
 libtasn1-doc - Manage ASN.1 structures (documentation)
Changes:
 libtasn1-6 (4.12-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * _asn1_check_identifier: safer access to values read (CVE-2017-10790)
     (Closes: #867398)
Checksums-Sha1: 
 18c0852b25351439ff9ac6b158514cbefe301260 2586 libtasn1-6_4.12-2.1.dsc
 06544ae5c4ecaa64f2f076b95289e76550143122 58728 libtasn1-6_4.12-2.1.debian.tar.xz
Checksums-Sha256: 
 0f762f07bbb39e9a49687e8bd7a18a5d3cc435d6c226eaecfcda7a8d325c2cef 2586 libtasn1-6_4.12-2.1.dsc
 df32c448a8472eff20fa6989f939cbc0e2caf0d4bb712e54b31b39bbd6d8b781 58728 libtasn1-6_4.12-2.1.debian.tar.xz
Files: 
 6982161a0f92ed7e0121dd6529b523a9 2586 libs standard libtasn1-6_4.12-2.1.dsc
 fe3af74f35c8de66dd94e94df1c91c96 58728 libs standard libtasn1-6_4.12-2.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAll20lhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtFsQAJM/w2Cd9/EEJUjBVmUmLZZwe0MuOMuF
+M25rle/gnmxYMeGERtqN9/2jhakGOILs6+sb9Py+gQzbb4s1VLhI+lqLe725P/b
VN9vXgwGrptk17OW4OAhKK8EuzbDmFDDdTEvPMoH6CNfNHIuIl0g8XRcpvch+fLb
329EBtt2wMz8orhmHGzynqP0xLBLxiJsPTmUW1j8/hbzduE7HVDUagNYR2ZZfZIv
TPzdt+9RFuKdAqyLZ+oTS4CIkfPzqvp+Yxo21thh4iZuxOiA09xEnYDzQPR90p09
TVidX87n2/9d6gzEaCoWwizKf89/RNeZI4dwkuLV38HevubhOn9hcLauCLexzXFa
Vrqby/xMLef4aO+zVc+Yc/3q83o0geXuQqmFNKfmPk4fQrHOln6+ftzZhWJt9gXl
CkgddR5Ub1hVCCwCn+dYRWHUI/8+qSrA81PTfabXtk1T1UCFwA66aHwu4ZNswR/8
KlRD4V2TjH4C9yc8TfO2DhXOp99s+HftY7Ct+sAwsxK55AfkC4P6iW8DuNY/INoX
BWJZYBtdYD0YIID3ElfKZl5dIwzV3kHirRpA39HhptbtVRu3Su+02cZT7VZXJZHk
2ylfH4yN0pk4WAomLHlr4spXjPp602BLL5qC5NVTjV4NVzPYRW75gIlYVaHtgBdE
MsKB9KazySsu
=aooo
-----END PGP SIGNATURE-----

Message #24 received at 867398@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Salvatore Bonaccorso <carnil@debian.org>, 867398@bugs.debian.org

Subject: Re: Bug#867398: libtasn1-6: diff for NMU version 4.12-2.1

Date: Tue, 25 Jul 2017 19:30:20 +0200

On 2017-07-25 Salvatore Bonaccorso <carnil@debian.org> wrote:
> I've prepared an NMU for libtasn1-6 (versioned as 4.12-2.1) and
> uploaded it to DELAYED/10. Please feel free to tell me if I
> should delay it longer. I still agree the fix is not urgent, but while
> looking for the fixing commit, I produced builts, so proposed the NMU.
> I can happily drop it if you feel it's not needed. OTOH if unstable is
> fixed an update for a future point release for both jessie and stretch
> would be good.

Hello Salvatore,

Thanks for doing this - I have rescheduled to 0-day.

The upstream report ended with
| I still do not see how can this be exploited.
and nothing further.

So I kept waiting, and did not make single-patch upload.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #29 received at 867398@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Andreas Metzler <ametzler@bebt.de>, 867398@bugs.debian.org

Subject: Re: Bug#867398: libtasn1-6: diff for NMU version 4.12-2.1

Date: Tue, 25 Jul 2017 20:47:52 +0200

Hi Andreas,

On Tue, Jul 25, 2017 at 07:30:20PM +0200, Andreas Metzler wrote:
> On 2017-07-25 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > I've prepared an NMU for libtasn1-6 (versioned as 4.12-2.1) and
> > uploaded it to DELAYED/10. Please feel free to tell me if I
> > should delay it longer. I still agree the fix is not urgent, but while
> > looking for the fixing commit, I produced builts, so proposed the NMU.
> > I can happily drop it if you feel it's not needed. OTOH if unstable is
> > fixed an update for a future point release for both jessie and stretch
> > would be good.
> 
> Hello Salvatore,
> 
> Thanks for doing this - I have rescheduled to 0-day.

Thanks, noticed!

> The upstream report ended with
> | I still do not see how can this be exploited.
> and nothing further.
> 
> So I kept waiting, and did not make single-patch upload.

Yup, same here, but as said, while investigating the fix/issue I
produced the easy debdiff, so was just not much more work to propse it
as well.

Thanks a lot for your overall work!

Regards,
Salvatore

Message #40 received at 867398-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 867398-close@bugs.debian.org

Subject: Bug#867398: fixed in libtasn1-6 4.10-1.1+deb9u1

Date: Thu, 08 Feb 2018 21:20:35 +0000

Source: libtasn1-6
Source-Version: 4.10-1.1+deb9u1

We believe that the bug you reported is fixed in the latest version of
libtasn1-6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libtasn1-6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Jan 2018 22:23:33 +0100
Source: libtasn1-6
Binary: libtasn1-6-dev libtasn1-doc libtasn1-6 libtasn1-bin libtasn1-3-bin
Architecture: source
Version: 4.10-1.1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 867398
Description: 
 libtasn1-3-bin - transitional libtasn1-3-bin package
 libtasn1-6 - Manage ASN.1 structures (runtime)
 libtasn1-6-dev - Manage ASN.1 structures (development)
 libtasn1-bin - Manage ASN.1 structures (binaries)
 libtasn1-doc - Manage ASN.1 structures (documentation)
Changes:
 libtasn1-6 (4.10-1.1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * _asn1_check_identifier: safer access to values read (CVE-2017-10790)
     (Closes: #867398)
   * _asn1_decode_simple_ber: restrict the levels of recursion to 3
     (CVE-2018-6003)
Checksums-Sha1: 
 7b53e95c2d8615131cbdc01c3fa53a65ae0b990f 2614 libtasn1-6_4.10-1.1+deb9u1.dsc
 c7b36fa50866bbc889f7503c7fd1e9f9d7c52a64 1887057 libtasn1-6_4.10.orig.tar.gz
 da43860893146e9350d195de854975d4cdbd7602 59716 libtasn1-6_4.10-1.1+deb9u1.debian.tar.xz
Checksums-Sha256: 
 e9095d4d79e1015c2c2d3e8868d3c50f3b43510387a9ec9191d83ff57024fb39 2614 libtasn1-6_4.10-1.1+deb9u1.dsc
 681a4d9a0d259f2125713f2e5766c5809f151b3a1392fd91390f780b4b8f5a02 1887057 libtasn1-6_4.10.orig.tar.gz
 fed5f50904fbfecc50d253aa4bc62221849e363430f71125039ada1512807937 59716 libtasn1-6_4.10-1.1+deb9u1.debian.tar.xz
Files: 
 94853e6afe626875cccea81702d88f75 2614 libs standard libtasn1-6_4.10-1.1+deb9u1.dsc
 f4faffdf63969d0e4e6df43b9679e8e5 1887057 libs standard libtasn1-6_4.10.orig.tar.gz
 218919470bef9b5666d149d57017adf3 59716 libs standard libtasn1-6_4.10-1.1+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpw5rpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7S0P/j2VZLd9ktF44AmPK98EdwqGDnOHGdGn
wRMeizO6Rt0I+4WxMrglYmkDmR2+LxaZAr3O5ZhbgwkoZy/6h49OiPGcbUP4EvxE
wMHUvKlS9J0ZZlVeLy8qQGUSG9H260x3qCsAwy5w5phYNJ9GxJ8fynlfdYz9Xrb7
0siiaMtTSDMqOuNi0xTo7mKMgBikD46JYpIRTAJsUAAryt/t7uk4PH8RVMMqyh4e
GVZfF9LrpQAYowwDtyqHqKyFYRx4Jdr0Az0CW64QpCyXZDEOPvI00Cc/ObXjlnAj
ftTI9RpYjpKn6yscU29YygZ5DEq77haBaiGcoa7LJiSpCCR9XqnnlDB4aVAR6NCK
yo53H4e/kIJ3G0J9jRuD15RgzcGqT5tMNDIRmEVHzKnNEQ5blBcfrvu97qONOq1o
75zsmK7iM3Gilr6opDZpmWdEjESXnORVE5fi+l7Rpb13cVxTU5Vvxy8OevpAeYu8
sKRR7+G9cNoWwYVoDWVhgIAZrJNy2kCW8+GlEw1ZoZN46IaBM6HBTsYaxILI5k6G
y2yXha3onaOMjcXBI0OxwqTRI4UG2zUZhyG1R2WvCqD5CjDLZtALfEWhAWH1LIB9
WQ70Z+/TwGG9eTFwu+KwBiF9x4CW5bBOF4Ih4p62soAKMWueXMhpVZMlJ8I6B6jw
UCWbc37fB0ia
=QqND
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.