A heap-based buffer overflow flaw was found in the way the libtasn1 library decoded certain DER-encoded input. A specially crafted, DER-encoded input could cause an application using libtasn1 to perform an invalid read, causing the application to crash.
Sample malformed certificate exposing heap overflow (test with certtool -i --inder --infile=[sample] and address sanitizer or valgrind)
Created libtasn1 tracking bugs for this issue:
Affects: fedora-all [bug 1218142]
Created mingw-libtasn1 tracking bugs for this issue:
Affects: fedora-all [bug 1218143]
Affects: epel-7 [bug 1218144]
libtasn1-4.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in the libtasn1 packages.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:1860 https://access.redhat.com/errata/RHSA-2017:1860