Bug 2140058 (CVE-2021-46848)

Summary: CVE-2021-46848 libtasn1: Out-of-bound access in ETYPE_OK
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, btotty, ehelms, jsherril, kyoshida, lzap, mhulan, mmccune, myarboro, nmoumoul, orabin, pcreech, rchan, rh-spice-bugs, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libtasn1 4.19.0 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in Libtasn1 due to an ETYPE_OK off-by-one error in the asn1_encode_simple_der() function. This flaw allows a remote attacker to pass specially crafted data or invalid values to the application, triggering an off-by-one error, corrupting the memory, and possibly performing a denial of service (DoS) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-25 14:52:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2140066, 2140067, 2140069, 2140070, 2140600, 2140601, 2140602, 2140603, 2140604    
Bug Blocks: 2137397, 2169449    

Description Sandipan Roy 2022-11-04 10:17:55 UTC 
GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.

https://gitlab.com/gnutls/libtasn1/-/issues/32
https://bugs.gentoo.org/866237
https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5
Comment 1 Sandipan Roy 2022-11-04 10:26:41 UTC 
Created libtasn1 tracking bugs for this issue:

Affects: fedora-35 [bug 2140066]
Affects: fedora-36 [bug 2140069]


Created mingw-libtasn1 tracking bugs for this issue:

Affects: fedora-35 [bug 2140067]
Affects: fedora-36 [bug 2140070]
Comment 4 errata-xmlrpc 2023-01-12 09:24:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0116 https://access.redhat.com/errata/RHSA-2023:0116
Comment 5 errata-xmlrpc 2023-01-23 15:22:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0343 https://access.redhat.com/errata/RHSA-2023:0343
Comment 6 Product Security DevOps Team 2023-01-25 14:52:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-46848
Comment 8 errata-xmlrpc 2024-01-24 16:48:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0427 https://access.redhat.com/errata/RHSA-2024:0427