libtasn1 version 2.12 was released fixing the following issue: - Corrected DER decoding issue (reported by Matthew Hall). Added self check to detect the problem, see tests/Test_overflow.c. This problem can lead to at least remotely triggered crashes, see further analysis on the libtasn1 mailing list. http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/53 Upstream and few limited details are available at: http://thread.gmane.org/gmane.comp.gnu.libtasn1.general/54 The behavior of asn1_get_length_der was changed to protect against accidental incorrect use, if though it was previously "working properly and as documented".
Upstream test case: http://git.savannah.gnu.org/cgit/libtasn1.git/tree/tests/Test_overflow.c
"There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*. It contains a crafted cert which triggers the bug, to cause a crash." http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957 I've tried this on RHEL6 and got a segfault because memcpy reaches the end of the heap memory. $ gdb certtool gdb$ r --certificate-info --inder --infile tests_suite_invalid-cert.der Program received signal SIGSEGV, Segmentation fault. --------------------------------------------------------------------------[regs] EAX: 0x80000004 EBX: 0x05D99388 ECX: 0x1FFFB3A4 EDX: 0x08083F60 o d I t s z a p c ESI: 0x08094FFF EDI: 0x37FF817C EBP: 0xBFFFE838 ESP: 0xBFFFE80C EIP: 0x00498E51 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B --------------------------------------------------------------------------[code] => 0x498e51 <__memcpy_ia32+97>: rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi] 0x498e53 <__memcpy_ia32+99>: jmp 0x498e3d <__memcpy_ia32+77> 0x498e55: nop 0x498e56: nop 0x498e57: nop 0x498e58: nop 0x498e59: nop 0x498e5a: nop -------------------------------------------------------------------------------- __memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100 100 2: rep Missing separate debuginfos, use: debuginfo-install libgpg-error-1.7-4.el6.i686 ncurses-libs-5.7-3.20090208.el6.i686 readline-6.0-3.el6.i686 gdb$ bt #0 __memcpy_ia32 () at ../sysdeps/i386/i686/memcpy.S:100 #1 0x05d92ba1 in _asn1_set_value (node=0x8083f60, value=0x8081e8b, len=0x80000004) at /usr/include/bits/string3.h:52 #2 0x05d8e101 in asn1_der_decoding (element=0x8074678, ider=0x8081e80, len=0x2af, errorDescription=0x0) at decoding.c:1112 #3 0x05ebc31d in gnutls_x509_crt_import (cert=0x8074678, data=0xbffff210, format=GNUTLS_X509_FMT_DER) at x509.c:231 #4 0x05ebc52a in gnutls_x509_crt_list_import (certs=0xbfffea40, cert_max=0xbffff218, data=0xbffff210, format=GNUTLS_X509_FMT_DER, flags=0x1) at x509.c:2886 #5 0x080506be in certificate_info () at certtool.c:1039 #6 0x08051d45 in gaa_parser (argc=0x5, argv=0xbffff354) at certtool.c:953 #7 main (argc=0x5, argv=0xbffff354) at certtool.c:103 $ ps -A | grep certtool 6908 pts/6 00:00:00 certtool $ cat /proc/6908/maps | grep heap 08064000-08095000 rw-p 00000000 00:00 0 [heap]
(In reply to comment #2) > "There is a self-test in GnuTLS about this, see tests/suite/invalid-cert*. It > contains a crafted cert which triggers the bug, to cause a crash." > http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5957 http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=88138dc44fc00f2887956d71e0febd2656e1fd9f
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/20/8
Added mingw32-gnutls owner in Fedora. Even though there is mingw-libtasn1 now in Fedora, mingw32-gnutls seems to be using bundled libtasn1.
Created mingw32-gnutls tracking bugs for this issue Affects: fedora-all [bug 805442]
Acknowledgements: Red Hat would like to thank Matthew Hall of Mu Dynamics for reporting this issue.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0428 https://rhn.redhat.com/errata/RHSA-2012-0428.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0427 https://rhn.redhat.com/errata/RHSA-2012-0427.html
mingw32-gnutls-2.12.14-3.fc16, mingw-libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
libtasn1-2.12-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
mingw-libtasn1-2.12-1.fc17, mingw-p11-kit-0.12-1.fc17, mingw-gnutls-2.12.17-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libtasn1-2.12-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
mingw32-gnutls-2.10.5-2.fc15, mingw-libtasn1-2.12-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: RHEV-H, V2V and Agents for RHEL-5 Via RHSA-2012:0488 https://rhn.redhat.com/errata/RHSA-2012-0488.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2012:0531 https://rhn.redhat.com/errata/RHSA-2012-0531.html
External Reference: (none)
Created attachment 712481 [details] Local copy of the Mu Dynamics advisory text It seem the company got acquired and its main web site is no longer working.