[security-announce] libtasn1: Security update

Sona Sarmadi sona.sarmadi at enea.com
Mon Sep 14 12:10:05 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: libtasn1 4.0
Severity: Mderate
CVE Name: CVE-2015-3622
=========================================================
This security update fixes a heap overflow flaw in
_asn1_extract_der_octet().

Signed patch and README files
================================
0033-libtasn1-CVE-2015-3622.patch
0033-libtasn1-CVE-2015-3622.patch.sig
0033-libtasn1-CVE-2015-3622.README.asc

Description
===========
The _asn1_extract_der_octet function in lib/decoding.c in GNU
Libtasn1 before 4.5 allows remote attackers to cause a denial
of service (out-of-bounds heap read) via a crafted certificate.

References
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=patch;
h=f979435823a02f842c41d49cd41cc81f25b5d677

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget https://linux.enea.com/5.0-beta-m400/\
Enea-Linux-5.0-beta-m400.tar.gz
tar zxf Enea-Linux-5.0-beta-m400.tar.gz
cd Enea-Linux-5.0-beta-m400/poky
<Fetch and apply the existing patches >

 - Fetch, verify and apply the new patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0033-libtasn1-CVE-2015-3622.patch
wget https://linux.enea.com/5.0-beta-m400/\
patches/0033-libtasn1-CVE-2015-3622.patch.sig
gpg --verify 0033-libtasn1-CVE-2015-3622.patch.sig
patch -p1 < ./0033-libtasn1-CVE-2015-3622.patch


If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV9pz8AAoJEHc+9u9ocWoUKJ4P/Akagr3vNZzAtBSZ9Or2w8I6
BuymR9zes5wp5TvtTZGdNhOLA7pJclEjLR8o1s86Kb6OFuQ+mFJXHiTYhkn8SDIO
nMqdmKgh4uvo624xq751u2E03VsVdp+vGglCwgjACeCm8Z4Uta3fE8tWhzY8tW6K
BUi9NeFrqYqs4xI88gpS4Tyux9daBfeBTydgRUFVEOUmfESfGQXLC7h+yTs9pbqI
p+Lc9f6WBPYmqkdIOcKFW8XnmOQjgVUBfn9gikSeBflPJoRestDavhpYtcso40Bi
aUqi8VCBmGR/ZiICTTKZ4y41RH4CBxXLZmgbzBqajgBhtDdTqzwMa02CqRcZsJD6
ns+6R3t7067cFwjDjg1+vgYwPcMQvZ/dC3wZGKRSJ6xR++5Dz2nz70uaUE5K+I8r
S6JL6MAptXtWzVQrygpv54MBYN8eGgWB58vqZ2uDnZuYhasluxFOuemhp2aVVoWJ
1oxfBmEyisGlNZVhw4haJkQJcjfCrX1JBPGQRo7k+zfLgHqjg0+yTE/DRqVYCL1J
mdwsn8o0N3GeHH/Vd7VHxG1xJc7PBW9zeEpoPcbC59wk8p/uJ7xfKWLWAklIoFdk
pSGT3Rf9ZqZpn2L8CKRkuMbztYnZBZ9lURyMNeQnqAgtOQgdpdhnoyIouYfC/m8M
HpGXl/EArJZ/oeNCvF2b
=ggaP
-----END PGP SIGNATURE-----



More information about the security-announce mailing list