Bug 804920 (CVE-2012-1569)

Summary: CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-201202-02)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: erik-fedora, fweimer, jlieskov, kalevlember, osoukup, rh-bugzilla, rjones, scorneli, tmraz
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-20 11:06:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 805074, 805075, 805076, 805077, 805078, 805079, 805442, 1063396    
Bug Blocks: 804921    
Attachments:
Description Flags
Local copy of the Mu Dynamics advisory text none

Description Tomas Hoger 2012-03-20 08:04:39 UTC 
libtasn1 version 2.12 was released fixing the following issue:

  - Corrected DER decoding issue (reported by Matthew Hall).
    Added self check to detect the problem, see tests/Test_overflow.c.
    This problem can lead to at least remotely triggered crashes, see
    further analysis on the libtasn1 mailing list.

  http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/53

Upstream and few limited details are available at:

  http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54

The behavior of asn1_get_length_der was changed to protect against accidental incorrect use, if though it was previously "working properly and as documented".
Comment 1 Tomas Hoger 2012-03-20 08:26:49 UTC 
Upstream test case:
  http://git.savannah.gnu.org/cgit/libtasn1.git/tree/tests/Test_overflow.c
Comment 2 Stefan Cornelius 2012-03-20 12:11:11 UTC 
"There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*.  It contains a crafted cert which triggers the bug, to cause a crash."
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957

I've tried this on RHEL6 and got a segfault because memcpy reaches the end of the heap memory.

$ gdb certtool

gdb$ r --certificate-info --inder --infile tests_suite_invalid-cert.der 

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
  EAX: 0x80000004  EBX: 0x05D99388  ECX: 0x1FFFB3A4  EDX: 0x08083F60  o d I t s z a p c 
  ESI: 0x08094FFF  EDI: 0x37FF817C  EBP: 0xBFFFE838  ESP: 0xBFFFE80C  EIP: 0x00498E51
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
--------------------------------------------------------------------------[code]
=> 0x498e51 <__memcpy_ia32+97>:	rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi]
   0x498e53 <__memcpy_ia32+99>:	jmp    0x498e3d <__memcpy_ia32+77>
   0x498e55:	nop
   0x498e56:	nop
   0x498e57:	nop
   0x498e58:	nop
   0x498e59:	nop
   0x498e5a:	nop
--------------------------------------------------------------------------------
__memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100
100	2:	rep
Missing separate debuginfos, use: debuginfo-install libgpg-error-1.7-4.el6.i686 ncurses-libs-5.7-3.20090208.el6.i686 readline-6.0-3.el6.i686

gdb$ bt
#0  __memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100
#1  0x05d92ba1 in _asn1_set_value (node=0x8083f60, value=0x8081e8b, len=0x80000004) at /usr/include/bits/string3.h:52
#2  0x05d8e101 in asn1_der_decoding (element=0x8074678, ider=0x8081e80, len=0x2af, errorDescription=0x0) at decoding.c:1112
#3  0x05ebc31d in gnutls_x509_crt_import (cert=0x8074678, data=0xbffff210, format=GNUTLS_X509_FMT_DER) at x509.c:231
#4  0x05ebc52a in gnutls_x509_crt_list_import (certs=0xbfffea40, cert_max=0xbffff218, data=0xbffff210, format=GNUTLS_X509_FMT_DER, flags=0x1) at x509.c:2886
#5  0x080506be in certificate_info () at certtool.c:1039
#6  0x08051d45 in gaa_parser (argc=0x5, argv=0xbffff354) at certtool.c:953
#7  main (argc=0x5, argv=0xbffff354) at certtool.c:103

$ ps -A | grep certtool
 6908 pts/6    00:00:00 certtool

$ cat /proc/6908/maps | grep heap
08064000-08095000 rw-p 00000000 00:00 0          [heap]
Comment 6 Tomas Hoger 2012-03-20 14:49:32 UTC 
(In reply to comment #2)
> "There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*.  It
> contains a crafted cert which triggers the bug, to cause a crash."
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=88138dc44fc00f2887956d71e0febd2656e1fd9f
Comment 7 Kurt Seifried 2012-03-20 16:55:05 UTC 
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/20/8
Comment 8 Tomas Hoger 2012-03-21 07:48:46 UTC 
Added mingw32-gnutls owner in Fedora.  Even though there is mingw-libtasn1 now in Fedora, mingw32-gnutls seems to be using bundled libtasn1.
Comment 10 Stefan Cornelius 2012-03-21 10:22:34 UTC 
Created mingw32-gnutls tracking bugs for this issue

Affects: fedora-all [bug 805442]
Comment 11 Stefan Cornelius 2012-03-23 13:08:26 UTC 
Acknowledgements:

Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting this issue.
Comment 12 errata-xmlrpc 2012-03-27 22:57:06 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0428 https://rhn.redhat.com/errata/RHSA-2012-0428.html
Comment 13 errata-xmlrpc 2012-03-27 22:57:25 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0427 https://rhn.redhat.com/errata/RHSA-2012-0427.html
Comment 14 Fedora Update System 2012-03-31 03:19:15 UTC 
mingw32-gnutls-2.12.14-3.fc16, mingw-libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-04-06 21:27:58 UTC 
libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2012-04-06 21:31:17 UTC 
libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2012-04-12 01:58:11 UTC 
mingw-libtasn1-2.12-1.fc17, mingw-p11-kit-0.12-1.fc17, mingw-gnutls-2.12.17-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2012-04-12 02:05:51 UTC 
libtasn1-2.12-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2012-04-12 11:29:12 UTC 
mingw32-gnutls-2.10.5-2.fc15, mingw-libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2012-04-17 17:54:06 UTC 
This issue has been addressed in following products:

  RHEV-H, V2V and Agents for RHEL-5

Via RHSA-2012:0488 https://rhn.redhat.com/errata/RHSA-2012-0488.html
Comment 21 errata-xmlrpc 2012-04-30 17:16:36 UTC 
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2012:0531 https://rhn.redhat.com/errata/RHSA-2012-0531.html
Comment 22 Murray McAllister 2013-03-07 02:39:55 UTC 
External Reference:

(none)
Comment 24 Tomas Hoger 2013-03-19 09:30:23 UTC 
Created attachment 712481 [details]
Local copy of the Mu Dynamics advisory text

It seem the company got acquired and its main web site is no longer working.