Bug#1125063: libtasn1-6: CVE-2025-13151
Andreas Metzler
ametzler at bebt.de
Fri Jan 9 18:17:43 GMT 2026
On 2026-01-08 Moritz Mühlenhoff <jmm at inutil.org> wrote:
> Source: libtasn1-6
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
> Hi,
> The following vulnerability was published for libtasn1-6.
> CVE-2025-13151[0]:
> | Stack-based buffer overflow in libtasn1 version: v4.20.0. The
> | function fails to validate the size of input data resulting in a
> | buffer overflow in asn1_expend_octet_string.
[...]
Looking at the full announcement
https://gitlab.com/gnutls/libtasn1/-/blob/master/doc/security/CVE-2025-13151.md?ref_type=heads
CVE-2025-13151: Stack-based buffer overflow in asn1_expand_octet_string
function
Expanding an "OCTET STRING" element of a structure using the
asn1_expand_octet_string function may lead to a one-byte stack overflow
that may corrupt adjacent memory in the worst case scenario.
Severity: Low Vulnerable versions : All released version of libtasn1
Not vulnerable : libtasn1 4.21.0
[...]
Exploitation
In order to exploit this, the target program must be using the
asn1_expand_octet_string function explicitly with an excessively long
name (ASN1_MAX_NAME_SIZE = 64 characters) for both the ASN.1 definition
and the target element. Given the ASN.1 definitions are normally part of
the application code base, it is highly unlikely to be exploitable.
https://codesearch.debian.net/ only finds 4 hits for
asn1_expand_octet_string - libtasn1-6 itself, the libtasn copies in
grub2 and gnutls, and a commented call in box64.
This probably does not warrant a DSA.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list