Bug 804920 (CVE-2012-1569)
Summary: | CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-201202-02) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | erik-fedora, fweimer, jlieskov, kalevlember, osoukup, rh-bugzilla, rjones, scorneli, tmraz | ||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-10-20 11:06:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 805074, 805075, 805076, 805077, 805078, 805079, 805442, 1063396 | ||||||
Bug Blocks: | 804921 | ||||||
Attachments: |
|
Description
Tomas Hoger
2012-03-20 08:04:39 UTC
Upstream test case: http://git.savannah.gnu.org/cgit/libtasn1.git/tree/tests/Test_overflow.c "There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*. It contains a crafted cert which triggers the bug, to cause a crash." http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957 I've tried this on RHEL6 and got a segfault because memcpy reaches the end of the heap memory. $ gdb certtool gdb$ r --certificate-info --inder --infile tests_suite_invalid-cert.der Program received signal SIGSEGV, Segmentation fault. --------------------------------------------------------------------------[regs] EAX: 0x80000004 EBX: 0x05D99388 ECX: 0x1FFFB3A4 EDX: 0x08083F60 o d I t s z a p c ESI: 0x08094FFF EDI: 0x37FF817C EBP: 0xBFFFE838 ESP: 0xBFFFE80C EIP: 0x00498E51 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B --------------------------------------------------------------------------[code] => 0x498e51 <__memcpy_ia32+97>: rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi] 0x498e53 <__memcpy_ia32+99>: jmp 0x498e3d <__memcpy_ia32+77> 0x498e55: nop 0x498e56: nop 0x498e57: nop 0x498e58: nop 0x498e59: nop 0x498e5a: nop -------------------------------------------------------------------------------- __memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100 100 2: rep Missing separate debuginfos, use: debuginfo-install libgpg-error-1.7-4.el6.i686 ncurses-libs-5.7-3.20090208.el6.i686 readline-6.0-3.el6.i686 gdb$ bt #0 __memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100 #1 0x05d92ba1 in _asn1_set_value (node=0x8083f60, value=0x8081e8b, len=0x80000004) at /usr/include/bits/string3.h:52 #2 0x05d8e101 in asn1_der_decoding (element=0x8074678, ider=0x8081e80, len=0x2af, errorDescription=0x0) at decoding.c:1112 #3 0x05ebc31d in gnutls_x509_crt_import (cert=0x8074678, data=0xbffff210, format=GNUTLS_X509_FMT_DER) at x509.c:231 #4 0x05ebc52a in gnutls_x509_crt_list_import (certs=0xbfffea40, cert_max=0xbffff218, data=0xbffff210, format=GNUTLS_X509_FMT_DER, flags=0x1) at x509.c:2886 #5 0x080506be in certificate_info () at certtool.c:1039 #6 0x08051d45 in gaa_parser (argc=0x5, argv=0xbffff354) at certtool.c:953 #7 main (argc=0x5, argv=0xbffff354) at certtool.c:103 $ ps -A | grep certtool 6908 pts/6 00:00:00 certtool $ cat /proc/6908/maps | grep heap 08064000-08095000 rw-p 00000000 00:00 0 [heap] (In reply to comment #2) > "There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*. It > contains a crafted cert which triggers the bug, to cause a crash." > http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957 http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=88138dc44fc00f2887956d71e0febd2656e1fd9f Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/20/8 Added mingw32-gnutls owner in Fedora. Even though there is mingw-libtasn1 now in Fedora, mingw32-gnutls seems to be using bundled libtasn1. Created mingw32-gnutls tracking bugs for this issue Affects: fedora-all [bug 805442] Acknowledgements: Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting this issue. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0428 https://rhn.redhat.com/errata/RHSA-2012-0428.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0427 https://rhn.redhat.com/errata/RHSA-2012-0427.html mingw32-gnutls-2.12.14-3.fc16, mingw-libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. mingw-libtasn1-2.12-1.fc17, mingw-p11-kit-0.12-1.fc17, mingw-gnutls-2.12.17-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. libtasn1-2.12-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. mingw32-gnutls-2.10.5-2.fc15, mingw-libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: RHEV-H, V2V and Agents for RHEL-5 Via RHSA-2012:0488 https://rhn.redhat.com/errata/RHSA-2012-0488.html This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2012:0531 https://rhn.redhat.com/errata/RHSA-2012-0531.html External Reference: (none) Created attachment 712481 [details]
Local copy of the Mu Dynamics advisory text
It seem the company got acquired and its main web site is no longer working.
|