CVE-2012-1569

2012-03-2600:00:00

ubuntu.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.916 High

EPSS

Percentile

98.9%

JSON

The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12,
as used in GnuTLS before 3.0.16 and other products, does not properly
handle certain large length values, which allows remote attackers to cause
a denial of service (heap memory corruption and application crash) or
possibly have unspecified other impact via a crafted ASN.1 structure.

Bugs

<https://bugzilla.redhat.com/show_bug.cgi?id=804920>

Notes

Author	Note
jdstrand	per Simon Josefsson (upstream), asn1_get_length_der() does not itself have the vulnerability, but that callers wouldn’t check its return code which could cause a DoS. It was deemed easier for asn1_get_length_der() to throw an error rather than changing all callers. archive grep results for asn1_get_length_der(): https://chinstrap.canonical.com/~jamie/libtasn1.log
mdeslaur	gnutls test: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commit;h=88138dc44fc00f2887956d71e0febd2656e1fd9f libtasn test: http://git.savannah.gnu.org/cgit/libtasn1.git/plain/tests/Test_overflow.c

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchlibtasn1-3< 1.1-1ubuntu0.1UNKNOWN
ubuntu10.04noarchlibtasn1-3< 2.4-1ubuntu0.1UNKNOWN
ubuntu11.04noarchlibtasn1-3< 2.7-1ubuntu1.1UNKNOWN
ubuntu11.10noarchlibtasn1-3< 2.9-4ubuntu0.1UNKNOWN
ubuntu12.04noarchlibtasn1-3< 2.10-1ubuntu1.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	libtasn1-3	< 1.1-1ubuntu0.1	UNKNOWN
ubuntu	10.04	noarch	libtasn1-3	< 2.4-1ubuntu0.1	UNKNOWN
ubuntu	11.04	noarch	libtasn1-3	< 2.7-1ubuntu1.1	UNKNOWN
ubuntu	11.10	noarch	libtasn1-3	< 2.9-4ubuntu0.1	UNKNOWN
ubuntu	12.04	noarch	libtasn1-3	< 2.10-1ubuntu1.1	UNKNOWN