Security update for libtasn1 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3797-1 Final 1 1 2022-10-27T12:34:13Z current 2022-10-27T12:34:13Z 2022-10-27T12:34:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libtasn1 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). - CVE-2017-6891: Added safety check to fix a stack overflow issue (bsc#1040621). - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-3797,SUSE-SLE-SERVER-12-SP2-BCL-2022-3797 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223797-1/ Link for SUSE-SU-2022:3797-1 https://lists.suse.com/pipermail/sle-security-updates/2022-October/012726.html E-Mail link for SUSE-SU-2022:3797-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1040621 SUSE Bug 1040621 https://bugzilla.suse.com/1105435 SUSE Bug 1105435 https://bugzilla.suse.com/1204690 SUSE Bug 1204690 https://www.suse.com/security/cve/CVE-2017-6891/ SUSE CVE CVE-2017-6891 page https://www.suse.com/security/cve/CVE-2018-1000654/ SUSE CVE CVE-2018-1000654 page https://www.suse.com/security/cve/CVE-2021-46848/ SUSE CVE CVE-2021-46848 page SUSE Linux Enterprise Server 12 SP2-BCL libtasn1-3.7-13.7.1 libtasn1-6-3.7-13.7.1 libtasn1-6-32bit-3.7-13.7.1 libtasn1-6-64bit-3.7-13.7.1 libtasn1-devel-3.7-13.7.1 libtasn1-devel-32bit-3.7-13.7.1 libtasn1-devel-64bit-3.7-13.7.1 libtasn1-3.7-13.7.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libtasn1-6-3.7-13.7.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libtasn1-6-32bit-3.7-13.7.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. CVE-2017-6891 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-3.7-13.7.1 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-6-3.7-13.7.1 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-6-32bit-3.7-13.7.1 moderate 3.3 AV:L/AC:M/Au:N/C:N/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223797-1/ https://www.suse.com/security/cve/CVE-2017-6891.html CVE-2017-6891 https://bugzilla.suse.com/1040621 SUSE Bug 1040621 https://bugzilla.suse.com/1049210 SUSE Bug 1049210 https://bugzilla.suse.com/1149679 SUSE Bug 1149679 GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. CVE-2018-1000654 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-3.7-13.7.1 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-6-3.7-13.7.1 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-6-32bit-3.7-13.7.1 moderate 7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223797-1/ https://www.suse.com/security/cve/CVE-2018-1000654.html CVE-2018-1000654 https://bugzilla.suse.com/1105435 SUSE Bug 1105435 GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. CVE-2021-46848 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-3.7-13.7.1 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-6-3.7-13.7.1 SUSE Linux Enterprise Server 12 SP2-BCL:libtasn1-6-32bit-3.7-13.7.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223797-1/ https://www.suse.com/security/cve/CVE-2021-46848.html CVE-2021-46848 https://bugzilla.suse.com/1204690 SUSE Bug 1204690 https://bugzilla.suse.com/1205081 SUSE Bug 1205081 https://bugzilla.suse.com/1205311 SUSE Bug 1205311 https://bugzilla.suse.com/1208025 SUSE Bug 1208025