In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data. Reference: https://github.com/libtom/libtomcrypt/pull/508 https://github.com/libtom/libtomcrypt/issues/507
Created libtomcrypt tracking bugs for this issue: Affects: epel-all [bug 1775215] Affects: fedora-all [bug 1775214]
Statement: Red Hat CloudForms 5.9, 5.10 and 5.11 are not affected as it does not ship anymore libtomcrypt library. Only CloudForms 5.8 which is EOL delivers libtomcrypt library. Red Hat Ansible Engine 2.8 and 2.9 are not affected as it does not ship libtomcrypt library anymore and Ansible Engine 2.7 had deprecate it.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17362