[gentoo-announce] [ GLSA 200602-08 ] libtasn1, GNU TLS: Security flaw in DER decoding - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200602-08 ] libtasn1, GNU TLS: Security flaw in DER decoding
Date:	Thu, 16 Feb 2006 20:56:46
Message-Id:	`43F4E088.9010004@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200602-08

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: libtasn1, GNU TLS: Security flaw in DER decoding

9

      Date: February 16, 2006

10

      Bugs: #122307

11

        ID: 200602-08

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A flaw in the parsing of Distinguished Encoding Rules (DER) has been

19

discovered in libtasn1, potentially resulting in the execution of

20

arbitrary code.

21

22

Background

23

==========

24

25

Libtasn1 is a library used to parse ASN.1 (Abstract Syntax Notation

26

One) objects, and perform DER (Distinguished Encoding Rules) decoding.

27

Libtasn1 is included with the GNU TLS library, which is used by

28

applications to provide a cryptographically secure communications

29

channel.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package            /  Vulnerable  /                    Unaffected

36

    -------------------------------------------------------------------

37

  1  dev-libs/libtasn1      < 0.2.18                         >= 0.2.18

38

  2  net-libs/gnutls        < 1.2.10                         >= 1.2.10

39

    -------------------------------------------------------------------

40

     2 affected packages on all of their supported architectures.

41

    -------------------------------------------------------------------

42

43

Description

44

===========

45

46

Evgeny Legerov has reported a flaw in the DER decoding routines

47

provided by libtasn1, which could cause an out of bounds access to

48

occur.

49

50

Impact

51

======

52

53

A remote attacker could cause an application using libtasn1 to crash

54

and potentially execute arbitrary code by sending specially crafted

55

input.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All libtasn1 users should upgrade to the latest version:

66

67

    # emerge --sync

68

    # emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-0.2.18"

69

70

All GNU TLS users should upgrade to the latest version:

71

72

    # emerge --sync

73

    # emerge --ask --oneshot --verbose ">=net-libs/gnutls-1.2.10"

74

75

References

76

==========

77

78

  [ 1 ] CVE-2006-0645

79

        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645

80

81

Availability

82

============

83

84

This GLSA and any updates to it are available for viewing at

85

the Gentoo Security Website:

86

87

  http://security.gentoo.org/glsa/glsa-200602-08.xml

88

89

Concerns?

90

=========

91

92

Security is a primary focus of Gentoo Linux and ensuring the

93

confidentiality and security of our users machines is of utmost

94

importance to us. Any security concerns should be addressed to

95

security@g.o or alternatively, you may file a bug at

96

http://bugs.gentoo.org.

97

98

License

99

=======

100

101

Copyright 2006 Gentoo Foundation, Inc; referenced text

102

belongs to its owner(s).

103

104

The contents of this document are licensed under the

105

Creative Commons - Attribution / Share Alike license.

106

107

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200602-08
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: libtasn1, GNU TLS: Security flaw in DER decoding
9	Date: February 16, 2006
10	Bugs: #122307
11	ID: 200602-08
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A flaw in the parsing of Distinguished Encoding Rules (DER) has been
19	discovered in libtasn1, potentially resulting in the execution of
20	arbitrary code.
21
22	Background
23	==========
24
25	Libtasn1 is a library used to parse ASN.1 (Abstract Syntax Notation
26	One) objects, and perform DER (Distinguished Encoding Rules) decoding.
27	Libtasn1 is included with the GNU TLS library, which is used by
28	applications to provide a cryptographically secure communications
29	channel.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 dev-libs/libtasn1 < 0.2.18 >= 0.2.18
38	2 net-libs/gnutls < 1.2.10 >= 1.2.10
39	-------------------------------------------------------------------
40	2 affected packages on all of their supported architectures.
41	-------------------------------------------------------------------
42
43	Description
44	===========
45
46	Evgeny Legerov has reported a flaw in the DER decoding routines
47	provided by libtasn1, which could cause an out of bounds access to
48	occur.
49
50	Impact
51	======
52
53	A remote attacker could cause an application using libtasn1 to crash
54	and potentially execute arbitrary code by sending specially crafted
55	input.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All libtasn1 users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-0.2.18"
69
70	All GNU TLS users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=net-libs/gnutls-1.2.10"
74
75	References
76	==========
77
78	[ 1 ] CVE-2006-0645
79	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645
80
81	Availability
82	============
83
84	This GLSA and any updates to it are available for viewing at
85	the Gentoo Security Website:
86
87	http://security.gentoo.org/glsa/glsa-200602-08.xml
88
89	Concerns?
90	=========
91
92	Security is a primary focus of Gentoo Linux and ensuring the
93	confidentiality and security of our users machines is of utmost
94	importance to us. Any security concerns should be addressed to
95	security@g.o or alternatively, you may file a bug at
96	http://bugs.gentoo.org.
97
98	License
99	=======
100
101	Copyright 2006 Gentoo Foundation, Inc; referenced text
102	belongs to its owner(s).
103
104	The contents of this document are licensed under the
105	Creative Commons - Attribution / Share Alike license.
106
107	http://creativecommons.org/licenses/by-sa/2.0