drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Pufferüberlauf in mingw-libtasn1
Name: |
Pufferüberlauf in mingw-libtasn1 |
|
ID: |
FEDORA-2017-d5cf1a55ce |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 26 |
|
Datum: |
Sa, 10. Juni 2017, 11:58 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6891 |
|
Applikationen: |
GNU Libtasn1 |
|
Originalnachricht |
------------------------------------------------------------------------------- - Fedora Update Notification FEDORA-2017-d5cf1a55ce 2017-06-09 18:48:36.546397 ------------------------------------------------------------------------------- -
Name : mingw-libtasn1 Product : Fedora 26 Version : 4.12 Release : 1.fc26 URL : http://www.gnu.org/software/libtasn1/ Summary : MinGW Windows libtasn1 library Description : libtasn1 is the ASN.1 library used in GNUTLS.
This package contains the MinGW Windows cross compiled libtasn1 library.
------------------------------------------------------------------------------- - Update Information:
Noteworthy changes in release 4.11 (released 2017-05-27) [stable] - Introduced the ASN1_TIME_ENCODING_ERROR error code to indicate an invalid encoding in the DER time fields. - Introduced flag ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME. This flag allows decoding errors in time fields even when in strict DER mode. That is introduced in order to allow toleration of invalid times in X.509 certificates (which are common) even though strict DER adherence is enforced in other fields. - Added safety check in asn1_find_node(). That prevents a crash when a very long variable name is provided by the developer. Note that this to be exploited requires controlling the ASN.1 definitions used by the developer, i.e., the 'name' parameter of asn1_write_value() or asn1_read_value(). The library is not designed to protect against malicious manipulation of the developer assigned variable names. Reported by Jakub Jirasek. Noteworthy changes in release 4.10 (released 2017-01-16) [stable] - Updated gnulib - Removed -Werror from default compiler flags - Fixed undefined behavior when negating integers in _asn1_ltostr(). Issue found by oss-fuzz project (via gnutls): https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=388 - Pass the correct length to _asn1_get_indefinite_length_string in asn1_get_length_ber. This addresses reading 1-byte past the end of data. Issue found by oss-fuzz project (via gnutls): https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=330 https://bugs.chromium.org/p/oss- fuzz/issues/detail?id=331 ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #1456764 - CVE-2017-6891 mingw-libtasn1: libtasn1: Stack-based buffer overflow in asn1_find_node() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1456764 ------------------------------------------------------------------------------- -
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade mingw-libtasn1' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
|
|
|
|