Bug 804920 - (CVE-2012-1569) CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-201202-02)
CVE-2012-1569 libtasn1: DER decoding buffer overflow (GNUTLS-SA-2012-3, MU-20...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120319,repo...
: Reopened, Security
Depends On: 805074 805075 805076 805077 805078 805079 805442 1063396
Blocks: 804921
  Show dependency treegraph
 
Reported: 2012-03-20 04:04 EDT by Tomas Hoger
Modified: 2016-02-15 08:40 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-20 07:06:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Local copy of the Mu Dynamics advisory text (15.53 KB, text/plain)
2013-03-19 05:30 EDT, Tomas Hoger
no flags Details

  None (edit)
Description Tomas Hoger 2012-03-20 04:04:39 EDT
libtasn1 version 2.12 was released fixing the following issue:

  - Corrected DER decoding issue (reported by Matthew Hall).
    Added self check to detect the problem, see tests/Test_overflow.c.
    This problem can lead to at least remotely triggered crashes, see
    further analysis on the libtasn1 mailing list.

  http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/53

Upstream and few limited details are available at:

  http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54

The behavior of asn1_get_length_der was changed to protect against accidental incorrect use, if though it was previously "working properly and as documented".
Comment 1 Tomas Hoger 2012-03-20 04:26:49 EDT
Upstream test case:
  http://git.savannah.gnu.org/cgit/libtasn1.git/tree/tests/Test_overflow.c
Comment 2 Stefan Cornelius 2012-03-20 08:11:11 EDT
"There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*.  It contains a crafted cert which triggers the bug, to cause a crash."
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957

I've tried this on RHEL6 and got a segfault because memcpy reaches the end of the heap memory.

$ gdb certtool

gdb$ r --certificate-info --inder --infile tests_suite_invalid-cert.der 

Program received signal SIGSEGV, Segmentation fault.
--------------------------------------------------------------------------[regs]
  EAX: 0x80000004  EBX: 0x05D99388  ECX: 0x1FFFB3A4  EDX: 0x08083F60  o d I t s z a p c 
  ESI: 0x08094FFF  EDI: 0x37FF817C  EBP: 0xBFFFE838  ESP: 0xBFFFE80C  EIP: 0x00498E51
  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
--------------------------------------------------------------------------[code]
=> 0x498e51 <__memcpy_ia32+97>:	rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi]
   0x498e53 <__memcpy_ia32+99>:	jmp    0x498e3d <__memcpy_ia32+77>
   0x498e55:	nop
   0x498e56:	nop
   0x498e57:	nop
   0x498e58:	nop
   0x498e59:	nop
   0x498e5a:	nop
--------------------------------------------------------------------------------
__memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100
100	2:	rep
Missing separate debuginfos, use: debuginfo-install libgpg-error-1.7-4.el6.i686 ncurses-libs-5.7-3.20090208.el6.i686 readline-6.0-3.el6.i686

gdb$ bt
#0  __memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100
#1  0x05d92ba1 in _asn1_set_value (node=0x8083f60, value=0x8081e8b, len=0x80000004) at /usr/include/bits/string3.h:52
#2  0x05d8e101 in asn1_der_decoding (element=0x8074678, ider=0x8081e80, len=0x2af, errorDescription=0x0) at decoding.c:1112
#3  0x05ebc31d in gnutls_x509_crt_import (cert=0x8074678, data=0xbffff210, format=GNUTLS_X509_FMT_DER) at x509.c:231
#4  0x05ebc52a in gnutls_x509_crt_list_import (certs=0xbfffea40, cert_max=0xbffff218, data=0xbffff210, format=GNUTLS_X509_FMT_DER, flags=0x1) at x509.c:2886
#5  0x080506be in certificate_info () at certtool.c:1039
#6  0x08051d45 in gaa_parser (argc=0x5, argv=0xbffff354) at certtool.c:953
#7  main (argc=0x5, argv=0xbffff354) at certtool.c:103

$ ps -A | grep certtool
 6908 pts/6    00:00:00 certtool

$ cat /proc/6908/maps | grep heap
08064000-08095000 rw-p 00000000 00:00 0          [heap]
Comment 6 Tomas Hoger 2012-03-20 10:49:32 EDT
(In reply to comment #2)
> "There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*.  It
> contains a crafted cert which triggers the bug, to cause a crash."
> http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=88138dc44fc00f2887956d71e0febd2656e1fd9f
Comment 7 Kurt Seifried 2012-03-20 12:55:05 EDT
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/20/8
Comment 8 Tomas Hoger 2012-03-21 03:48:46 EDT
Added mingw32-gnutls owner in Fedora.  Even though there is mingw-libtasn1 now in Fedora, mingw32-gnutls seems to be using bundled libtasn1.
Comment 10 Stefan Cornelius 2012-03-21 06:22:34 EDT
Created mingw32-gnutls tracking bugs for this issue

Affects: fedora-all [bug 805442]
Comment 11 Stefan Cornelius 2012-03-23 09:08:26 EDT
Acknowledgements:

Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting this issue.
Comment 12 errata-xmlrpc 2012-03-27 18:57:06 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0428 https://rhn.redhat.com/errata/RHSA-2012-0428.html
Comment 13 errata-xmlrpc 2012-03-27 18:57:25 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0427 https://rhn.redhat.com/errata/RHSA-2012-0427.html
Comment 14 Fedora Update System 2012-03-30 23:19:15 EDT
mingw32-gnutls-2.12.14-3.fc16, mingw-libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-04-06 17:27:58 EDT
libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2012-04-06 17:31:17 EDT
libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2012-04-11 21:58:11 EDT
mingw-libtasn1-2.12-1.fc17, mingw-p11-kit-0.12-1.fc17, mingw-gnutls-2.12.17-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2012-04-11 22:05:51 EDT
libtasn1-2.12-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2012-04-12 07:29:12 EDT
mingw32-gnutls-2.10.5-2.fc15, mingw-libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 errata-xmlrpc 2012-04-17 13:54:06 EDT
This issue has been addressed in following products:

  RHEV-H, V2V and Agents for RHEL-5

Via RHSA-2012:0488 https://rhn.redhat.com/errata/RHSA-2012-0488.html
Comment 21 errata-xmlrpc 2012-04-30 13:16:36 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2012:0531 https://rhn.redhat.com/errata/RHSA-2012-0531.html
Comment 22 Murray McAllister 2013-03-06 21:39:55 EST
External Reference:

(none)
Comment 24 Tomas Hoger 2013-03-19 05:30:23 EDT
Created attachment 712481 [details]
Local copy of the Mu Dynamics advisory text

It seem the company got acquired and its main web site is no longer working.

Note You need to log in before you can comment on or make changes to this bug.