Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

GNU Libtasn1: Denial of service — GLSA 201703-05

A vulnerability in Libtasn1 allows remote attackers to cause a Denial of Service condition.

Affected packages

Package dev-libs/libtasn1 on all architectures
Affected versions < 4.8
Unaffected versions >= 4.8

Background

A library that provides Abstract Syntax Notation One (ASN.1, as specified by the X.680 ITU-T recommendation) parsing and structures management, and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding functions.

Description

Libtasn1 does not correctly handle certain malformed DER certificates.

Impact

A remote attacker could entice a user or automated system to process a specially crafted certificate using Libtasn1, resulting in a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Libtasn1 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-4.8"

References

Release date
March 28, 2017

Latest revision
March 28, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries