security update in Fedora EPEL 7 for mingw-libtasn1

Status: stable 2 years ago

Noteworthy changes in release 4.11 (released 2017-05-27) [stable]

  • Introduced the ASN1_TIME_ENCODING_ERROR error code to indicate an invalid encoding in the DER time fields.
  • Introduced flag ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME. This flag allows decoding errors in time fields even when in strict DER mode. That is introduced in order to allow toleration of invalid times in X.509 certificates (which are common) even though strict DER adherence is enforced in other fields.
  • Added safety check in asn1_find_node(). That prevents a crash when a very long variable name is provided by the developer. Note that this to be exploited requires controlling the ASN.1 definitions used by the developer, i.e., the 'name' parameter of asn1_write_value() or asn1_read_value(). The library is not designed to protect against malicious manipulation of the developer assigned variable names. Reported by Jakub Jirasek.

Noteworthy changes in release 4.10 (released 2017-01-16) [stable]

How to install

sudo dnf upgrade --advisory=FEDORA-EPEL-2017-776e20faa7

Comments 5

This update has been submitted for testing by mooninite.

This update has been pushed to testing.

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for stable by mooninite.

This update has been pushed to stable.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 1
unstable threshold: -2
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago

Related Bugs 3

00 #1218144 CVE-2015-3622 mingw-libtasn1: libtasn1: heap overflow flaw in _asn1_extract_der_octet() [epel-7]
00 #1325970 CVE-2016-4008 mingw-libtasn1: libtasn1: infinite loop while parsing DER certificates [epel-7]
00 #1456766 CVE-2017-6891 mingw-libtasn1: libtasn1: Stack-based buffer overflow in asn1_find_node() [epel-7]

Automated Test Results