Debian RT libtasn1-3 ASN.1 length decoding vulnerability. CVE-2012-1569

Andreas Metzler ametzler at downhill.at.eu.org
Wed Mar 21 15:40:15 UTC 2012 

Hello,

there is a new public security problem with libtasn CVE-2012-1569.

Applies to: libtasn1-3 up to and including 2.11
Fixed in sid:     yes, libtasn1-3 2.12-1
Fixed in testing: not yet, will take another 4 days to propagate.
Fixed in stable:  No. (suggested debdiff is attached)

Release announcement:
http://lists.gnu.org/archive/html/help-libtasn1/2012-03/msg00000.html
Problem descriptions:
http://lists.gnu.org/archive/html/help-libtasn1/2012-03/msg00001.html
http://lists.gnu.org/archive/html/help-libtasn1/2012-03/msg00002.html
(The latter link also talks about an issue in gnutls28 3.0.16, this
one is fixed in sid, and does not apply to stable.)

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
File lists identical on package level (after any substitutions)

Control files of package libtasn1-3: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-2.7-1-] {+2.7-1+squeeze+1+}

Control files of package libtasn1-3-bin: lines which differ (wdiff format)
--------------------------------------------------------------------------
Installed-Size: [-144-] {+132+}
Version: [-2.7-1-] {+2.7-1+squeeze+1+}

Control files of package libtasn1-3-dbg: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: libtasn1-3 (= [-2.7-1)-] {+2.7-1+squeeze+1)+}
Installed-Size: [-280-] {+252+}
Version: [-2.7-1-] {+2.7-1+squeeze+1+}

Control files of package libtasn1-3-dev: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: libtasn1-3 (= [-2.7-1),-] {+2.7-1+squeeze+1),+} dpkg (>= 1.15.4) | install-info
Version: [-2.7-1-] {+2.7-1+squeeze+1+}
 changelog                  |    6 ++
 patches/CVE-2012-1569.diff |   91 +++++++++++++++++++++++++++++++++++++++++++++
 patches/series             |    1 
 3 files changed, 98 insertions(+)
diff -Nru libtasn1-3-2.7/debian/changelog libtasn1-3-2.7/debian/changelog
--- libtasn1-3-2.7/debian/changelog	2010-05-29 09:10:42.000000000 +0200
+++ libtasn1-3-2.7/debian/changelog	2012-03-21 16:03:38.000000000 +0100
@@ -1,3 +1,9 @@
+libtasn1-3 (2.7-1+squeeze+1) stable-security; urgency=low
+
+  * ASN.1 length decoding vulnerability. CVE-2012-1569.
+
+ -- Andreas Metzler <ametzler at debian.org>  Wed, 21 Mar 2012 16:01:21 +0100
+
 libtasn1-3 (2.7-1) unstable; urgency=low
 
   * New upstream version.
diff -Nru libtasn1-3-2.7/debian/patches/CVE-2012-1569.diff libtasn1-3-2.7/debian/patches/CVE-2012-1569.diff
--- libtasn1-3-2.7/debian/patches/CVE-2012-1569.diff	1970-01-01 01:00:00.000000000 +0100
+++ libtasn1-3-2.7/debian/patches/CVE-2012-1569.diff	2012-03-21 16:05:41.000000000 +0100
@@ -0,0 +1,91 @@
+From: Simon Josefsson <simon at josefsson.org>
+To: help-libtasn1 at gnu.org
+Subject: minimal fix to security issue
+OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
+Date: Mon, 19 Mar 2012 11:48:50 +0100
+Message-ID: <87d388dfxp.fsf at latte.josefsson.org>
+User-Agent: Gnus/5.130003 (Ma Gnus v0.3) Emacs/24.0.94 (gnu/linux)
+MIME-Version: 1.0
+Content-Type: text/plain
+X-BeenThere: help-libtasn1 at gnu.org
+Precedence: list
+List-Id: Discussion list for GNU Libtasn1 <help-libtasn1.gnu.org>
+List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-libtasn1>,
+	<mailto:help-libtasn1-request at gnu.org?subject=unsubscribe>
+List-Archive: <http://lists.gnu.org/archive/html/help-libtasn1>
+List-Post: <mailto:help-libtasn1 at gnu.org>
+List-Help: <mailto:help-libtasn1-request at gnu.org?subject=help>
+List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-libtasn1>,
+	<mailto:help-libtasn1-request at gnu.org?subject=subscribe>
+
+If you want to patch an earlier version of libtasn1 instead of
+upgrading, below is a small patch that does the trick.  You can check
+whether a library is patched or not by running tests/Test_overflow.c
+from version 2.12 on your libtasn1 library (use LD_PRELOAD to force
+loading of a particular library).
+
+I want to mention that there were no security problem in the
+asn1_get_length_der function.  It was working properly and as documented
+before.  The security problem was the callers not checking that the
+returned values were reasonable, i.e., that the output length was less
+than or equal to the total length of the buffer.  However, fixing all
+callers of this function would be a huge amount of work.  Instead, we
+made asn1_get_length_der return an error code when the situation
+occured, to protect callers.  This fix could be the wrong thing if some
+code out there calls the function with a der_len parameter that is
+smaller than the entire DER structure length.  However, we are hoping
+that is not in any significant use, and that overall security will be
+improved by having the function sanity check its output rather than
+letting the caller do that.  This was a judgement call.
+
+Thanks again to Matthew Hall for reporting the issue and to Nikos for
+discussion.
+
+/Simon
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 8c46ce5..968fa96 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -54,12 +54,13 @@ _asn1_error_description_tag_error (ASN1_TYPE node, char *ErrorDescription)
+  * Extract a length field from DER data.
+  *
+  * Returns: Return the decoded length value, or -1 on indefinite
+- *   length, or -2 when the value was too big.
++ *   length, or -2 when the value was too big to fit in a int, or -4
++ *   when the decoded length value plus @len would exceed @der_len.
+  **/
+ signed long
+ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ {
+-  unsigned long ans;
++  int ans;
+   int k, punt;
+ 
+   *len = 0;
+@@ -82,7 +83,7 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ 	  ans = 0;
+ 	  while (punt <= k && punt < der_len)
+ 	    {
+-	      unsigned long last = ans;
++	      int last = ans;
+ 
+ 	      ans = ans * 256 + der[punt++];
+ 	      if (ans < last)
+@@ -92,10 +93,13 @@ asn1_get_length_der (const unsigned char *der, int der_len, int *len)
+ 	}
+       else
+ 	{			/* indefinite length method */
+-	  ans = -1;
++	  *len = punt;
++	  return -1;
+ 	}
+ 
+       *len = punt;
++      if (ans + *len < ans || ans + *len > der_len)
++	return -4;
+       return ans;
+     }
+ }
+
+
diff -Nru libtasn1-3-2.7/debian/patches/series libtasn1-3-2.7/debian/patches/series
--- libtasn1-3-2.7/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libtasn1-3-2.7/debian/patches/series	2012-03-21 16:06:21.000000000 +0100
@@ -0,0 +1 @@
+CVE-2012-1569.diff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20120321/65d0abda/attachment.pgp>

More information about the Pkg-gnutls-maint mailing list