Bug 1621972 (CVE-2018-1000654)

Summary: CVE-2018-1000654 libtasn1: Infinite loop in _asn1_expand_object_id(ptree) leads to memory exhaustion
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bbuckingham, bcourt, bkearney, bmcclain, crypto-team, dbaker, dfediuck, eedri, ehelms, erik-fedora, ggainey, jokerman, juwatts, klember, mgoldboi, mhulan, michal.skrivanek, mike, mmccune, mperina, nmoumoul, ohadlevy, pcreech, rchan, rh-bugzilla, rh-spice-bugs, rjerrido, sbonazzo, sherold, slawomir, smallamp, ssorce, sthangav, szidek, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in GNU Libtasn1, where a resource management issue can lead to a denial of service, here an attacker could exploit this flaw by persuading a victim to parse a specially crafted file, exhausting all available CPU resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:17:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1621973, 1621974, 1621975, 1621976, 1621977, 1622397    
Bug Blocks: 1621979    

Description Sam Fowler 2018-08-24 05:17:11 UTC 
The ASN.1 library used in GNUTLS (libtasn1) through versions 4.13 allows for an infinite loop due to an issue in the _asn1_expand_object_id(p_tree) function. An attacker could exploit this via a crafted ASN.1 structure to causing high CPU usage until a resultant out-of-memory error.


Upstream Issue:

https://gitlab.com/gnutls/libtasn1/issues/4
Comment 1 Sam Fowler 2018-08-24 05:18:11 UTC 
Created libtasn1 tracking bugs for this issue:

Affects: fedora-all [bug 1621973]


Created mingw-libtasn1 tracking bugs for this issue:

Affects: epel-7 [bug 1621975]
Affects: fedora-all [bug 1621974]
Comment 3 Doran Moppert 2018-08-27 04:05:59 UTC 
As nmav@ noted in the upstream ticket, this is an issue affecting the "compile-time" parsing of ASN.1 definitions and not runtime code that parses ASN.1 structures with a fixed definition (eg gnutls).  Specifically, asn1_parser2tree() when called with an invalid recursive ASN.1 definition can enter an infinite loop.

Generally, the ASN.1 definition parser is not exposed to untrusted inputs and asn1_parser2tree() offers no worst-case performance guarantees.
Comment 6 Doran Moppert 2018-11-22 22:51:07 UTC 
Statement:

This flaw is in the asn1Parser binary included in libtasn1-tools RPM. The dynamic library libtasn1 and libtasn1-devel RPMs are not affected.